Cryptocurrency exchange, Kraken, recently confirmed the recovery of nearly $3 million in digital assets that had gone missing following a bug bounty exploit. The mishap commenced on June 9 and concluded with the return of the funds from blockchain security firm, CertiK. An announcement made by Nicholas Percoco, Kraken’s Chief Security Officer (CSO), stated the funds had been returned, highlighting a small amount lost to transaction fees.
Percoco first raised the alarm about the missing funds after a reported ‘security researcher’ had exploited a discovered bug and subsequently made a sizeable withdrawal. Kraken alleged the researcher had refused to return the funds and demanded a reward plus a discussion with Kraken’s business development team.
CertiK then stepped forward, identifying themselves as the ‘security researcher’ and admitted to removing millions from Kraken’s accounts after discovering an exploit. It was also revealed that they’d received threats from Kraken’s security team after the funds had disappeared from the exchange’s wallets.
In an attempt to clarify its actions, CertiK explained the substantial withdrawal was necessary to test the extent of Kraken’s security controls. Over several days, CertiK conducted multiple tests amounting to almost $3 million worth of crypto, noting that no alerts were triggered. They also stated that they hadn’t initially requested a bounty, implying that their primary concern was to ensure the bug was fixed. CertiK further assured that no user funds from Kraken were jeopardized, as the funds were simply ‘minted out of air.’