Kraken discloses it was exploited for nearly $3 million in bug that has now been fixed

Kraken disclosed nearly $3 million was taken from its wallets following a bug-related exploit that's since been fixed.

The crypto exchange received a bug bounty program alert on June 9, according to Kraken’s Chief Security Officer Nick Percoco. The alert warned it to an “extremely critical” bug, allowing an attacker to artificially inflate their balance on its platform.

Percoco said that while the submission was lacking in specifics, it looked into the issue and discovered an isolated bug allowing a malicious attacker to initiate a deposit onto its platform and receive funds in their account, without fully completing the deposit. He noted this was only in a specific set of circumstances.

Although no client assets were at risk, he claimed, the bug derived from a flaw in a recent UX change that credited clients’ accounts before asset deposits fully cleared, allowing a malicious attacker to effectively “print assets” in their Kraken account for "a period of time," Percoco said.

Exploited ahead of the bounty submission

The bug was completely fixed within a few hours, according to Percoco. However, a subsequent investigation revealed it had already been exploited by three accounts within a few days of each other, he said.

Percoco claimed that one of the accounts was KYC’d to the individual who discovered the bug and had claimed to be a “security researcher.” The individual purportedly leveraged the bug to credit their account with $4 — sufficient to prove the flaw, file a bug bounty report and claim a sizable reward, Percoco said.

However, Kraken’s CSO alleged that the researcher had instead disclosed the bug to two other individuals they work with, who subsequently withdrew much larger sums from their Kraken accounts totaling nearly $3 million. “This was from Kraken’s treasuries, not other client assets,” Percoco clarified.

Percoco said Kraken requested a full account of their activities and for the funds to be returned. However, the researchers allegedly refused to return any funds until Kraken disclosed the potential size of the exploit if they had not disclosed the bug. “This is not white-hat hacking, it is extortion!” Percoco said.

Percoco said the crypto exchange was accused by the researchers of being “unreasonable” and “unprofessional” in its requests, adding that while Kraken would not disclose the research firm involved, it would treat it as a criminal case given the breach of its bug bounty terms.

“We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly,” Percoco said.