Kraken disclosed a bug that lets anyone initiate a deposit to the platform and receive the funds without completing it.
In recent events, Leading crypto exchange Kraken has revealed it fell victim to a bug-related exploit that resulted in approximately $3 million in losses. The announcement came as part of Kraken’s commitment to transparency and user security.
According to Kraken’s Chief Security Officer, Nick Percoco, the crypto exchange received an alert from its bug bounty program on June 9. The alert identified an “extremely critical” bug that could artificially allow attackers to inflate their platform balance.
Percoco stated that although the submission lacked specifics, the team investigated the issue and discovered an isolated bug that allowed a malicious attacker to initiate a deposit on the platform and receive funds in their account without completing the deposit process. He noted that this exploit could only occur under specific circumstances.
The chief security officer explained that while no client assets were at risk, the bug originated from a flaw in a recent UX change that caused clients’ accounts to be credited before their asset deposits fully cleared, which allowed a malicious attacker to effectively “print assets” in their Kraken account for some time.
Investigation of the Exploit
According to Percoco, the bug was fixed entirely within a few hours. However, a subsequent investigation disclosed that three accounts had already exploited it within a few days of each other.
Furthermore, the Kraken executive revealed that one of the accounts was linked to the individual who discovered the bug and identified themselves as a “security researcher.” The individual exploited the bug to credit their account with $4, enough to demonstrate the flaw, file a bug bounty report, and claim a substantial reward. However, Kraken’s CSO alleged that the researcher shared the bug with two associates, who then withdrew nearly $3 million from their Kraken accounts.
Percoco stated that Kraken requested a complete account of the researchers’ activities and the return of the funds. However, the researchers allegedly refused to return any money until Kraken disclosed the potential impact of the exploit if it had not been reported. “This is not white-hat hacking; it is extortion,” he said.
He then noted that the researchers accused Kraken of being “unreasonable” and “unprofessional” in its requests. the security officer added that while Kraken would not disclose the name of the research firm involved, it would handle the matter as a criminal case due to the breach of its bug bounty terms.
Exploit on Several Exchanges
Kraken is not the only exchange that has been attacked. On March 30, 2024, DeFi Protocol Prisma Finance fell victim to a $10 million exploit; also, on April 20, 2024, Decentralized finance and on-chain token vesting platform Hedgey Finance was hacked for approximately $44.7 million in cryptocurrencies after malicious actors exploited security bugs in its token contracts on two blockchains
