Blockchain security firm CertiK has confirmed its involvement in a bug exploit that led to the unauthorized withdrawal of $3 million worth of tokens from the Kraken crypto exchange.
On June 19, CertiK announced it had identified several critical vulnerabilities in Krakenβs exchange that could potentially lead to significant financial losses. According to CertiK, the issue was first discovered on June 5, and Kraken’s defense systems were compromised on multiple fronts. Notably, CertiK managed to bypass the exchangeβs withdrawal risk controls without triggering any alerts.
A huge amount of fabricated crypto (worth more than $1 million) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.
Upon discovering these flaws, CertiK informed Kraken, whose security team classified the issue as critical. However, after the exploit was identified and rectified, CertiK alleges that Krakenβs security operations team threatened individual CertiK employees, demanding repayment of a mismatched amount of crypto within an unreasonable timeframe.
CertiK urged Kraken to cease any threats against whitehat hackers, asserting its commitment to the web3 community in the spirit of transparency. However, this incident has sparked controversy within the blockchain community, with researchers highlighting discrepancies in CertiKβs timeline and claims.
Cyvers Chief Technology Officer Meir Dolev noted suspicious activity from an address associated with CertiK across multiple blockchain networks weeks before the Kraken incident was reported, raising questions about CertiK’s timeline.
Following the @krakenfx incident, similar activity started on base 26 days ago! The same signature hash is also used on Polygon 14 days ago. So should we believe CertiK’s timeline that they found the vulnerability only on June 5th?
Coinbase director Conor Grogan pointed out that addresses linked to CertiK sent part of the withdrawn crypto to Tornado Cash, a mixing service sanctioned by the U.S. Department of the Treasuryβs Office of Foreign Assets Control (OFAC) for facilitating approximately $7 billion in crypto laundering since 2019. Reports also allege that CertiK-associated addresses sent parts of the withdrawn crypto to ChangeNOW, a non-custodial crypto exchange.
As of this writing, CertiK has not made any public statements on why it interacted with Tornado Cash and ChangeNOW, though it claims to have returned all the withdrawn tokens to Kraken.
Stay informed on the latest cryptocurrency news and updates on Global Crypto News.