On June 9, 2024, Kraken, a prominent cryptocurrency exchange, received an alarming Bug Bounty report. The report, submitted by a security researcher, claimed to have discovered an “extremely critical” bug that allowed balance inflation. However, what initially seemed like a routine vulnerability report quickly turned into an extortion attempt.
While investigating the bug report, a team led by Nick Percoco, Kraken’s Chief Security Officer, identified a $3 million exploit. Specifically, the executive addressed the whole situation in a thread on X (formerly Twitter), posted on June 19.
Notably, the investigation revealed that three accounts had exploited the reported flaw within days of each other. One account belonged to an individual who claimed to be a security researcher. Essentially, this person discovered and leveraged the bug to credit their account with $4 in crypto.
Picks for you
Perococo described it as sufficient to prove the flaw and collect a substantial reward through Kraken’s Bug Bounty program. However, things escalated quickly after noticing the other two accounts, which allegedly benefited from the first person’s disclosure.
“Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.”
– Nick Percoco
From a bug report to an extortion attempt
When Kraken requested a full account of their activities and the return of the withdrawn funds, the security researchers refused and demanded a call with their business development team, engaging in what Percoco described as extortion.
Moreover, the Chief Security Office explained that Kraken’s Bug Bounty program, in place for nearly a decade, has clear rules. In particular:
“Do not exploit more than necessary to prove the vulnerability, provide a proof of concept, and immediately return any extracted funds.”
According to the exchange’s executive, legitimate researchers have never faced issues with Kraken, which has always been responsive.
In the interest of transparency, the company disclosed the bug to the industry and is treating the incident as a criminal case, coordinating with law enforcement agencies. The exchange emphasized that ignoring bug bounty program rules and attempting to extort the company revokes a researcher’s “license to hack” and makes them criminals.
Kraken’s bug investigation
Furthermore, Nick Percoco revealed that the exchange regularly receives fake bug bounty reports. Nevertheless, Kraken treated this report seriously and promptly assembled a team to investigate. Within minutes, they discovered an isolated bug that, under specific circumstances, allowed a malicious attacker to initiate a deposit and receive funds without fully completing the transaction.
“To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”
– Nick Percoco
Kraken’s team mitigated the issue within an hour and 47 minutes, as reported by Percoco. The vulnerability was completely fixed within a few hours, ensuring it could not reoccur. The flaw stemmed from a recent user experience (UX) change that credited client accounts before their assets cleared, enabling real-time trading.
“This change was not thoroughly tested against the specific attack vector”
– Nick Percoco
Despite this isolated experience, Kraken remains committed to its Bug Bounty program, recognizing its importance in enhancing the overall security of the crypto ecosystem. The exchange looks forward to working with good-faith actors in the future while taking a stand against unethical behavior.