Kraken and CertiK Dispute Over $3M White Hat Operation Funds

cryptonews.com:

The recent conflict between CertiK and Kraken has brought to light critical issues, which center around a security bug exploit that resulted in the unauthorized withdrawal of approximately $3 million from Kraken’s treasury by a research team from CertiK.

Both parties have presented contrasting narratives, raising significant questions about the nature of ethical hacking, communication protocols, and the appropriate handling of discovered vulnerabilities.

Kraken recently experienced a loss of about $3 million due to a bug exploit by a security research team that initially reported the bug. Kraken’s Chief Security Officer, Nicholas Percoco, accused the team of extortion, claiming they demanded a reward for the stolen funds and refused to return them unless Kraken agreed to pay a speculative amount for potential damages.

Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

— Nick Percoco (@c7five) June 19, 2024

According to Percoco, the bug, first reported on June 9, allowed the research team to withdraw over $3 million from Kraken’s treasury. The team exploited the bug despite alerting Kraken to the critical security flaw.

Kraken confirmed that the stolen assets came from their treasury and assured users that their funds were safe. Furthermore, the exchange is collaborating with law enforcement to recover the stolen funds.

Percoco continued that one of the accounts involved in the exploit completed Know Your Customer (KYC) verification. The suspected research team initially demonstrated the bug with