Skip to content

CertiK, Kraken Reach Resolution in Bug Bounty Saga

Blockchain security firm CertiK returns $3 million in disputed funds to Kraken after a public dispute over bug bounty ethics.

Table of Contents

The saga surrounding CertiK's security practices and their interaction with Kraken appears to have reached a resolution. After the two sides traded accusations in a very public spat in the past weeks, both parties have confirmed the return of the disputed funds.

CertiK: White Hat or Black Sheep?
The security firm faces accusations of extortion after exploiting a vulnerability in Kraken, a major cryptocurrency exchange. CertiK allegedly demanded a ransom for the return of stolen funds instead of following responsible disclosure procedures.

According to Kraken chief security officer Nicholas Percoco, who posted on Twitter/X on Thursday, the stolen digital assets have been returned "minus a small amount lost to fees."

The controversy erupted when CertiK allegedly exploited a vulnerability in Kraken's system, moving nearly $3 million worth of crypto out of their treasury. This action sparked outrage within the crypto community, as it deviated from responsible disclosure practices. Responsible disclosure involves notifying the affected party (Kraken, in this case) about the vulnerability and collaborating to fix it before exploiting it.

CertiK defended their actions by claiming they were acting as a white hat hacker. They asserted that they informed Kraken of the vulnerability details via email and video meetings, and that Kraken confirmed fixing the issue within a short timeframe. Additionally, they claim the funds they withdrew were "created out of thin air" and did not involve any real user assets.

Kraken vehemently disputed CertiK's claims. They stated that CertiK initially downplayed their involvement and that only one individual, presumed to be a CertiK employee, submitted a legitimate bug bounty report for a small amount. Two other accounts associated with CertiK then allegedly exploited the flaw to withdraw the much larger sum of nearly $3 million.

Furthermore, Kraken claims that the initial bug report only mentioned a $4 exploit and did not disclose the full extent of CertiK's activities. They allege that CertiK refused to cooperate fully with the investigation and demanded a specific reward amount before returning the funds.