CertiK Returns $3 Million to Kraken

Certik has returned the $3 million to Kraken exchange, putting a happy end to the bug bounty-related saga.

Following a high-profile bug bounty exploit debacle, Kraken, a cryptocurrency exchange, has successfully recovered the missing funds.

The Kraken-Certik saga, which commenced on June 9, has been concluded with the confirmation of the return of the plundered digital assets valued at nearly $3 million.

Nicholas Percoco, Kraken’s chief security officer, verified the funds’ recovery, minus transaction fees, in a post on June 20. X:

“Update: We can now confirm the funds have been returned (minus a small amount lost to fees).”

Kraken’s CSO initially disclosed the $3 million in missing funds on June 19, when he asserted that a “security researcher” had maliciously withdrawn them from the treasury after discovering and sharing an existing flaw.

Kraken asserted that the security researcher who refused to return the funds demanded a reward and a call with the exchange’s business development team, extorting the company.

CertiK’s side of the story

CertiK, a blockchain security firm, publicly identified itself as the “security researcher” that Kraken claimed misappropriated $3 million of digital assets shortly after Kraken’s post regarding the missing funds.

CertiK disclosed an exploit that had enabled it to withdraw millions of dollars from Kraken’s accounts in a post on June 19, as reported by X. Certik also asserted that the exchange’s team had issued him a threat:

“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”

The security firm published a timeline of events that commences with the identification of the exploit on June 5 and concludes with allegations that Kraken intimidated a CertiK employee on June 18. CertiK declared to Cointelegraph that it intended to transfer the funds to an account that Kraken would have access to.

Why did CertiK withdraw nearly $3 million?

Initially, Kraken’s chief security officer (CSO) stated that the initial malicious transfer, valued at $4, would have been sufficient to establish the flaw and receive “substantial rewards” from the company’s bounty program.

Nevertheless, the security researcher, subsequently identified as CertiK, deposited nearly $3 million into their Kraken accounts.

CertiK stated in a post that the multi-million quantity was required to test the limits of the exchange following the return of the $3 million:

“We want to test the limit of Kraken’s protection and risk controls. After multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered and we still haven’t figured out the limit.”

Additionally, CertiK asserts that it did not initially request a bounty; however, the exchange did mention it.

“We never mentioned any bounty request. It was Kraken who first mentioned their bounty to us, while we responded that the bounty was not the priority topic and we wanted to make sure the issue was fixed.”

CertiK stated that no Kraken user funds were at risk, as the exploited funds were “minted out of thin air.”