Kraken, a major cryptocurrency exchange, recently addressed a severe bug that had been lurking in its system for months, enabling users to “artificially inflate their balance.” This flaw was exposed when a security researcher alerted the platform through its bug bounty program on June 9, describing the issue as an “extremely critical bug.”
Nick Peroco, Kraken’s Chief Security Officer, and Alexander Cassells, Communications lead, detailed that the bug originated from a feature implemented in January. It allowed users to initiate deposits and receive funds in their accounts before these transactions were fully processed, potentially enabling a user to “print assets” within their Kraken account.
This exploit is reminiscent of a similar incident at the Canadian crypto exchange Coinberry in 2020, where users manipulated instant e-transfers to steal $3 million in Bitcoin by cancelling the transfers before completion. Such actions pose a significant risk since Bitcoin transactions are irreversible, potentially leading to substantial financial losses for the platforms involved.
The vulnerability at Kraken was patched swiftly within hours of its discovery. Cassells emphasized the complexity of the bug, noting that it required specific on-chain knowledge to exploit, which is why it remained undetected for so long.
The situation took a troubling turn when it was revealed that aside from the initial bug reporter, two other researchers exploited the bug to withdraw nearly $3 million fraudulently. These actions contradicted the standard protocols of the bug bounty program, and the researchers have not returned the funds, seeking to negotiate based on the potential losses they prevented.
Kraken is treating this as a criminal matter and is coordinating with law enforcement. This comes at a time when Kraken is already under scrutiny, facing a lawsuit from the SEC over alleged securities law violations and reportedly preparing for an IPO next year.
The incident highlights the critical importance of robust security measures and rapid response protocols in the digital finance world. While the bug was fixed promptly, the breach underscores the potential vulnerabilities in crypto exchanges and the importance of ethical practices in security research.