Kraken and Certik are in a heated dispute over a critical platform vulnerability that might involve potential financial losses and has brought about differing accusations, including threats and theft, from both parties.
In a post published on X today, June 20, 2024, Certik has denied Kraken’s allegations, framing their involvement in the whole fiasco as a white hat operation. They claimed no user assets were involved, stating that all used cryptocurrencies were minted out of thin air, and they maintained consistent communication with Kraken.
The dispute, as narrated by Kraken’s Chief Security Officer, Nick Percoco, began on June 9. He detailed the Kraken side of the story in a series of posts on X on June 19, 2024.
Percoco claimed the exchange had received a bug bounty alert for a flaw that could have allowed attackers to “print assets” in their Kraken accounts. He added that his team resolved the issue quickly, within 47 minutes of receiving the alert, and fully resolved it within a few hours. However, they discovered that $3 million had been withdrawn from their treasury, and one of the exploiting accounts was KYC-verified and belonged to the entity that flagged the issue.
Percoco noted that Kraken requested a full account of activities from the entity, which refused to cooperate, so the team had to involve law enforcement.
A few hours after Percoco’s revelation, Certik identified themselves as the party that reported the vulnerability and withdrew funds using the bug.
They claimed Kraken responded to the issue days after it was reported and even threatened their employees.
Certik also claimed that the exchange demanded repayment of a “MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
In their latest statement, Certik stated that it returned $2.8 million in funds (734 ETH, 29,000 USDT, and 1,021 XMR), while Kraken demands $2.882 million (155,818 MATIC, 907,400 USDT, 476 ETH, and 1,090 XMR).
Certik’s recent statement also contained a follow-up FAQ describing their involvement as a “white hat operation.” According to the firm, they conducted a five-day series of tests to assess Kraken’s protection and risk controls and reported the vulnerability they found to the exchange.
Certik also shared a detailed timeline and list of associated transactions and emphasized that they never requested a bounty, a claim initially made by Kraken. They urged Kraken to stop any threats against their team.
As of press time, Kraken has not issued an official statement or communicated regarding the issue.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
