Crypto security company CertiK finds major vulnerabilities in Kraken

CertiK, one of the companies providing services on blockchain security, claimed that it detected major vulnerabilities in the US-based exchange Kraken, which could lead to losses of hundreds of millions of dollars. CertiK stated that the vulnerabilities were shared with Kraken’s relevant unit and that the unit accepted these errors and vulnerabilities. Kraken announced that the bug was fixed shortly after it was discovered, but CertiK claimed that its employees also stole millions of dollars from the exchange.

Crypto security company CertiK finds major vulnerabilities in Kraken

CertiK, known for its security work, especially in decentralized finance and smart contracts, announced that it has identified major vulnerabilities in Kraken, a centralized exchange.

“Fake crypto can be withdrawn as real”

Stating that there were some errors related to investment transactions in Kraken in the first place, CertiK stated that other and important vulnerabilities were also detected:

“In Kraken’s deposit system, we found that some differences could not be distinguished and we deepened our research further. We conducted our research around 3 questions.

  • Can a malicious person make cryptocurrencies that are not in a Kraken account appear to be deposited there?
  • Could the same person withdraw these unreal funds from the exchange as if they were real?
  • What asset protection systems does Kraken put in place in the event of a large withdrawal request?

In our testing, we found that Kraken failed none of these tests. We found that Kraken’s defense mechanisms can be bypassed in a number of places. As a result, millions of dollars of post-produced, non-genuine crypto can be deposited into any account on Kraken, converted into real crypto, and withdrawn from the account.”

“They closed accounts and threatened”

CertiK’s statement was not limited to these. The company stated that the necessary warnings were made to Kraken, but after these warnings, both the accounts were closed and they were asked to pay for the withdrawn cryptocurrencies within an unreasonable period of time:

“After providing Kraken with the necessary information, the company’s security unit marked the issue as ‘Critical’, which is their highest level security classification. After some well-intentioned conversations, they threatened our employees with the repayment of the withdrawn cryptocurrencies, which did not even match the real ones. Although they demanded payment, they didn’t even send an address.”

Finally, CertiK stated that it will continue to work for the crypto world and the Web3 community and said, “We warn Kraken to end the threats it sends to hackers who have good intentions.”

Statement from Kraken: They stole $3 million

On the other hand, Kraken’s chief security officer Nick Percoco made a statement on the issue from X. Stating that after the problem was reported, the teams took action in a short time and the vulnerabilities were closed, the manager stated that people who said they were security researchers stole $3 million from Kraken:

“This security researcher initially withdrew $4 from the account and proved the bug. In fact, this was enough for the vulnerability to be seen. This person could have received a significant amount of money after reporting the bug to our rewards team.
But he also told two other people about the vulnerability.They withdrew $3 million from Kraken. That money belonged to Kraken, not the customers. The initial report didn’t have details about this transaction.We asked them for the full report, and again they did not respond. This is not a bona fide hacker situation, this is extortion.”

Leave a Comment