Top Exchange Kraken Discovers “Extremely Critical” Bug
Major cryptocurrency exchange Kraken has discovered a critical bug that effectively allowed the printing of free money.
In spite of the bug’s severity, the exchange says that no clients' assets were actually at risk.
The global cryptocurrency trading platform was notified about the vulnerability by a security researcher via email.
Despite routinely dealing with fake bug bounty reports, the exchange says that it treated that particular alert seriously, with its team quickly digging into the issue.
Kraken's team ended up discovering a bug that allowed bad actors to initiate a deposit onto Kraken and receive funds in their account without completing the deposit.
A bad actor could print assets out of thin air on Kraken, according to Nick Percoco, Kraken’s chief security officer. This was due to a recent UX change that would credit accounts before their assets cleared.
Money-printing spree
A total of three accounts managed to take advantage of the bug, according to Percoco. One of them was the security researcher who originally discovered the bug and generated $4 in crypto in order to prove it. However, instead of reporting the bug and collecting a reward from Kraken, the research disclosed the bug to the other two individuals, who printed millions of dollars worth of crypto and withdrew $3 million from Kraken's treasuries.
"The initial Bug Bounty report did not fully disclose this transaction information, so we contacted the security researchers to confirm some details to progress with rewarding them for successfully identifying a security flaw on our platform," Percoco added.
"It's extortion"
The security researchers refused to return the money they had withdrawn after being contacted by Kraken's team. Instead, they demanded a call with their sales representatives and a speculative sum of money that this bug could have caused.
Kraken has accused the security company of "extortion," adding that it is treating this as a criminal case.
"We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly," Percoco added.