CertiK admits Kraken’s $3m exploit, raises eyebrows for sending crypto to Tornado Cash

Blockchain security firm CertiK has confirmed that it was behind a bug exploit that resulted in the unauthorized withdrawal of $3 million worth of tokens from Kraken.

New York-based blockchain security firm CertiK has admitted to being behind a bug exploit that resulted in the unauthorized withdrawal of $3 million worth of tokens from the Kraken crypto exchange.

In an X-related thread on June 19, CertiK announced that it had identified a number of “critical vulnerabilities” in the Kraken exchange that “could potentially lead to hundreds of millions of dollars in losses.”

CertiK recently identified a number of critical vulnerabilities. @krakenfx a stock market that could potentially lead to hundreds of millions of dollars in losses.

Based on a finding @krakenfxDeposit system where ‘s cannot distinguish between different internal payments… pic.twitter.com/JZkMXj2ZCD

— CertiK (@CertiK) June 19, 2024

According to CertiK, the issue was first detected on June 5, and Kraken failed multiple tests; This suggests that the exchange’s defense-in-depth system is “compromised on multiple fronts.” The firm specifically stated that it managed to bypass the exchange’s withdrawal risk controls without triggering any alerts.

“Large amounts of fictitious crypto (worth more than $1 million) can be withdrawn from the account and converted into valid cryptocurrencies. Worse, no alerts were triggered during the several-day testing period. “Kraken responded and locked the test accounts days after we officially reported the incident.”

Certificate

CertiK claims that after discovering the flaws, it notified Kraken where its security team classified the issue as “critical.” But after the exploit was detected and fixed, CertiK alleges that Kraken’s security operations team “threatened” individual CertiK employees and demanded “refunds of incompatible amounts of cryptocurrency in an unreasonable amount of time, even without providing refund addresses.”

CertiK expressed its commitment to the web3 community “in the spirit of transparency”, calling on Kraken to “stop any threat from white hat hackers”. However, the incident sparked controversy and doubts within the blockchain community; blockchain researchers have highlighted inconsistencies in CertiK’s timeline and claims.

HAHAHHA YOU DAMN CLOWNS

There is absolutely NO universe where this is “white hat security research”

Kraken is incredibly patient in that it doesn’t explicitly say what this is: a multimillion-dollar theft with an extortion side.

— Tay 💖 (@tayvano_) June 19, 2024

As Cyvers chief technology officer Meir Dolev noted on the X account, an address associated with CertiK began suspicious activity on multiple blockchain networks weeks before the Kraken incident was first reported, raising questions about the timeline provided by CertiK.

following @krakenfx The incident and similar activity had started at the base 26 days ago!! The same signature hash was also used on Polygon 14 days ago. So, should we believe that they found Çetik’s security vulnerability only on June 5?@taivano_ pic.twitter.com/cvAnVrTg67

— Meir Dolev (@Meir_Dv) June 19, 2024

In a follow-up post under CertiK’s thread, Coinbase director Conor Grogan pointed out that addresses associated with CertiK sent a portion of the withdrawn cryptocurrency to Tornado Cash, a mixing service approved by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). For facilitating the laundering of nearly $7 billion worth of cryptocurrency since 2019.

Reports also claim that addresses associated with CertiK sent some of the withdrawn cryptocurrency to ChangeNOW, a non-custodial crypto exchange. As of press time, CertiK has not made any public statement as to why it interacted with Tornado Cash and ChangeNOW, but it claims to have returned all withdrawn tokens to Kraken.