CertiK Researchers Linked to Kraken’s $3 Million Attack

The trading platform tried to recover the funds immediately but resorted to law enforcement, citing a case of extortion.

Kraken exchange's recent $3 million bug attack has been linked to smart contract auditing firm CertiK, which confirmed the association. They discovered a series of critical vulnerabilities that could potentially lead to hundreds of millions of dollars in losses.

Following the discovery, the researchers took the initiative to explore the vulnerability, with three questions driving their research.

• Can a malicious actor fabricate a deposit transaction to a Kraken account?
• Can a malicious actor withdraw fabricated funds?
• What risk controls and asset protection might trigger from a large withdrawal request?

According to CertiK, the trading platform failed all the tests, which led it to conclude that Kraken's “defense in-depth system is compromised on multiple fronts.”

“According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken's defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident,” read the report as highlighted in a post.

CertiK presented these findings to Kraken Exchange, whose security team classified them as “critical,” the most serious classification level at the trading platform. Unfortunately, it all culminated in a case that required the involvement of law enforcement.

“Kraken's security operation team threatened individual CertiK employees to repay a mismatched amount of crypto in an unreasonable time even without providing repayment addresses. The verbal consensus reached during our meeting was not confirmed afterward. Ultimately, they publicly accused us of theft and even directly threatened our employees, which is completely unacceptable,” CertiK told BeInCrypto.

CertiK has urged Kraken to cease the threats against their persona, which is termed “Whitehat hackers.” The smart contract auditor has shared all testing deposit transactions. They added that they moved all funds to an accessible account with Kraken.

Judged

Despite CertiK's efforts to shed light on the matter, the crypto community has criticized the researchers, calling them out for malpractice. One user observes that “the sentiment around this story would have been more positive if resolved friendly with Kraken and posted about it after.”

Developer Uttam Singh's summary of the event ridiculed several aspects that make the case tilt further against CertiK. He highlights the fact that the researchers performed multiple transactions and that they waited five days before disclosure.

According to Cyvers CTO Meir Dolev, a Certik-associated address created a contract on the Coinbase Layer-2 network Base on May 24. This cast doubt on Certik's claim that the vulnerability was discovered on June 5. Reportedly, the address is also testing OKX and Coinbase to see if there is the same vulnerability as Kraken.

Based on the community reaction, the general sentiment is that the action was not a Whitehat security research, with social media engagement citing on-chain evidence. Nevertheless, this did not derail CertiK's Series B3 financing round, which garnered a stark $88 million.

Among the leaders in the funding round are Insight Partners, Tiger Global, and Advent International. Goldman Sachs, Sequoia, and Lightspeed Venture Partners also participated. Noteworthy, it marked CertiK's fourth round of capital raised in nine months, totaling $230 million.