Lessons from CertiK's dispute with Kraken
White hat hacking, or ethical hacking, is a crucial component of cybersecurity. It’s hacking that allows “good guys” to dissect applications, report security vulnerabilities to vendors, and use the information to improve the ecosystem's security posture.
This is not a unique concept in blockchain . it exists in places including the cloud, artificial intelligence, operating system security and more. However, in all cases, vendors and security researchers have created a delicate but powerful relationship based on the balancing act of trust.
In the blockchain space, auditors such as Trail of Bits, Halborn, and Open Zeppelin have been analyzing and repairing various smart contracts for years and have operated with utmost professionalism, building a strong sense of trust.
CertiK and Kraken’s dispute
On May 17, researchers from CertiK discovered a vulnerability in Kraken’s Digital Asset Exchange balance calculation and deposit mechanism. The Kraken Security Team rightly defined this as a critical issue and reported it resolved within 47 minutes.
Related: Incentive networks could save millions on AI compute costs
While seemingly innocent at first, this type of vulnerability allows attackers to “double spend,” meaning they have the ability to fake a deposit into the exchange. Once their balance on the exchange mistakenly updates, they then turn around and withdraw the same amount. This act removes money from the exchange’s main treasury wallet (which is what the majority of centralized exchanges use to manage custodial funds, similar to banks).
CertiK also published the list of fake deposit transactions, exploiting the vulnerability at least 20 times over five days, while claiming they were only testing Kraken’s detection mechanisms.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
— CertiK (@CertiK) June 19, 2024
Starting from a finding in @krakenfx 's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
After having a working proof-of-concept, CertiK researchers should have reported the issue immediately to Kraken and halted any further exploitation of the vulnerability. Nonetheless, since the incident, all funds taken during this so-called "testing" have been returned to Kraken, aside from a small amount that was lost in fees.
A framework for ethical hackin
White hat hacking is delicate.
The goal is to enhance application security, ensuring trust and transparency without jeopardizing the vendor’s business.
However, the underlying truth is that white hat hackers are oftentimes PR-driven and, with the wrong motives, will aim for the boldest headline. For example, “CertiK managed to take $3 million from Kraken without anyone noticing” is a much more intriguing headline than “Researchers found a critical bug in Kraken and saved millions of dollars.”
Related: Blockchain has a role to play in countering the ill effects of AI
This is where tension becomes high. Ethical researchers are expected to report their findings as soon as possible and have the leanest proof-of-concept so that the vendor’s business is not disrupted. The only exception is when the vendor invites penetration testing from the researchers, in which case they would have agreed on the scope of the testing and code of conduct.
Unfortunately, this was not the case here as the “unsolicited” penetration testing continued for four days after CertiK made a successful proof-of-concept. CertiK should have returned the funds before or at the time of the initial reporting. Such a large amount of funds should never have been taken from Kraken’s treasury or any other exchange.
Where trust finds a place
As an industry, we should stick together and look out for one another, no matter the attention that a damaging headline would bring to a competing business.
Our industry is faced with a high number of bad hackers to fight. Fortunately, even after disappointing developments like this, we are continuing to improve security products and practices, while innovation is steadily moving forward. Industry-side collaboration, where intimate and valuable information is shared between competitors is crucial because, in the end, security is a team sport.
We can only move forward as an industry if there is trust between all the “good guys.” In fact, it shouldn’t be "us" versus "them" — we are all working towards a common good and we have to keep that in mind first and foremost.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
