- A problem that allowed anyone to start a deposit on the cryptocurrency exchange Kraken and get the money without finishing it was revealed.
- Before the problem could be patched, $3 million of Kraken’s treasury was taken advantage of, according to the company’s chief security officer.
Kraken revealed that, as a result of a bug-related hack that has subsequently been fixed, around $3 million was removed from its wallets.
According to Nick Percoco, Chief Security Officer of Kraken, the cryptocurrency exchange received a bug bounty program notice on June 9. It was alerted to a highly serious problem that would have allowed an attacker to fictitiously increase their balance on the platform.
Despite the fact that the submission lacked details, Percoco claimed to have investigated the matter and found a solitary bug that would have allowed a hostile attacker to start a deposit on its platform and have money sent into their account without finishing it. He pointed out that this was only applicable in certain situations.
Percoco stated that despite the fact that no client assets were in danger, the fault originated from a recent UX update that credited clients’ accounts before asset deposits completely cleared. This defect allowed a malevolent attacker to temporarily print assets in a client’s Kraken account.
Utilized prior to the filing of the bounty
Within a few hours, the bug was addressed completely, according to Percoco. But, he added, a follow-up inquiry showed that it had already been used fraudulently by three accounts in the space of a few days.
According to Percoco, the person who found the problem and claimed to be a security researcher had one of the accounts KYC’d. According to Percoco, the person used the bug to allegedly credit their account with $4, which was enough to validate the error, submit a bug bounty report, and get a substantial payout.
According to Percoco, Kraken asked for a complete report on their actions as well as the return of the money. But if they hadn’t revealed the problem, the researchers supposedly wouldn’t have returned any money until Kraken revealed the possible scope of the vulnerability. As Percoco put it, this is extortion, not white-hat hacking.
According to Percoco, the researchers accused the cryptocurrency exchange of making irrational and unprofessional requests. Kraken promised not to reveal the identity of the research organization involved, but it would handle the matter as a criminal case due to the infringement of its bug bounty conditions.
This study company doesn’t deserve to be known because of what they’ve done, so we won’t reveal it. According to Percoco, we are working with law enforcement agencies in accordance with our treatment of this as a criminal case.
Disclaimer : This article was created for informational purposes only and should not be taken as investment advice. An asset’s past performance does not predict its future returns. Before making an investment, please conduct your own research, as digital assets like cryptocurrencies are highly risky and volatile financial instruments.
