Blockchain security company CertiK recently revealed a serious vulnerability it discovered in cryptocurrency exchange Kraken and the ensuing controversy. Meanwhile, CertiK has firmly denied Kraken’s extortion accusations and said it would return funds used for testing.
Discovery of vulnerabilities and measures taken
CertiK said its researchers discovered a vulnerability in Kraken's deposit system on June 5 that could allow malicious actors to fake deposit transactions and withdraw fake funds. CertiK immediately launched an in-depth investigation and a series of tests to verify the actual risk of the vulnerability.
CertiK’s tests revealed a startling result: millions of dollars could be deposited into any Kraken account, and over $1 million worth of counterfeit cryptocurrency could be withdrawn and converted into valid currency. During several days of testing, these actions did not trigger any alerts. Kraken did not respond to the incident until days later and locked the test account.
Disputes and losses
Although CertiK and Kraken initially successfully communicated and took steps to fix the vulnerability, the situation subsequently worsened. On June 18, Kraken was accused of threatening CertiK employees, demanding repayment of “unmatched” amounts within an unreasonable timeframe, without providing the relevant wallet addresses.
Kraken chief security officer Nick Percoco revealed on June 19 that nearly $3 million was lost to his wallet due to the vulnerability. He noted that on June 9, Kraken received an anonymous tip from a “security researcher” that revealed a serious vulnerability in the funding system. Kraken discovered that three accounts exploited this vulnerability within a short period of time.
CertiK’s Response and RefundPlan
CertiK has denied Kraken’s extortion accusations and said that because Kraken failed to provide a repayment address and the requested amounts did not match, CertiK will transfer the funds back to an account that Kraken has access to based on records. CertiK emphasized that the funds were intended for "white hat testing."
Kraken accuses CertiK of acting unethically and allegedly criminally because CertiK refused Kraken's request to return funds and provide data. Instead, CertiK arranged a meeting with Kraken to discuss determining the reward amount based on potential losses from non-disclosure.
Conclusion
The incident not only highlighted the vulnerability of cryptocurrency exchanges in terms of security, but also sparked discussions about the ethical and legal boundaries of security research.
The dispute between CertiK and Kraken could have long-lasting consequences for trust and cooperation in the blockchain security space. As legal and ethical issues become clearer, developments in this incident will continue to be closely watched both within and outside the industry.
The above is the detailed content of CertiK reveals details of vulnerability at cryptocurrency exchange Kraken, rejects extortion accusations. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
