Archived tweet

Tweet thread by Nick Percoco:

Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform. Tweeted at 8:24 AM · Jun 19, 2024 Everyday we receive fake bug bounty reports from people claiming to be “security researchers”. This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross functional team to dig into this issue. Here is what we found. Tweeted at Jun 19 Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit. Tweeted at Jun 19 To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time. Tweeted at Jun 19 We triaged this vulnerability as Critical and within an hour, 47 minutes to be exact, our team of experts had mitigated the issue. Within a few hours, the issue was completely fixed and could not reoccur again. Tweeted at Jun 19 Our team found a flaw deriving from a recent UX change that would promptly credit client accounts before their assets cleared - allowing clients to effectively trade crypto markets in real time. This UX change was not thoroughly tested against this specific attack vector. Tweeted at Jun 19 After patching the risk, we thoroughly investigated the situation and quickly discovered that 3 accounts had leveraged this flaw within a few days of each other. As we dug deeper, we noticed that one account was KYC’d to an individual who claimed to be a security researcher. Tweeted at Jun 19 This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto. This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program. Tweeted at Jun 19 Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets. Tweeted at Jun 19 The initial Bug Bounty report did not fully disclose this transaction information, so we contacted the security researchers to confirm some details to progress with rewarding them for successfully identifying a security flaw on our platform. Tweeted at Jun 19 In turn, we requested a full account of their activities, a proof of concept used to create the on-chain activity, and to arrange the return of the funds that they had withdrawn. This is common practice for any Bug Bounty program. These security researchers refused. Tweeted at Jun 19 Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion! Tweeted at Jun 19 We have had a Bug Bounty program in place at Kraken for nearly ten years. This program is run internally and is fully staffed by some of the brightest minds in the community. Our program, like many others, has clear rules of the road… 1. Do not exploit more than you need to in Tweeted at Jun 19 We have never had issues with legitimate researchers in this way and are always responsive. Tweeted at Jun 19 In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable. Tweeted at Jun 19 As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals. Tweeted at Jun 19 We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends. Tweeted at Jun 19 Our Bug Bounty program continues to be a vital shield in Kraken’s mission and a key part of our efforts to enhance the overall security of the crypto ecosystem. We look forward to working with good faith actors in the future and consider this as an isolated experience. Tweeted at Jun 19 This is the last message this thread. If you want to read it from beginning start here: Tweeted at Jun 19 Update: We can now confirm the funds have been returned (minus a small amount lost to fees). x.com/c7five/status/… Tweeted at Jun 20