CertiK, Kraken Reach Resolution in Bug Bounty Saga
The saga surrounding CertiK's security practices and their interaction with Kraken appears to have reached a resolution. After the two sides traded accusations in a very public spat in the past weeks, both parties have confirmed the return of the disputed funds.
According to Kraken chief security officer Nicholas Percoco, who posted on Twitter/X on Thursday, the stolen digital assets have been returned "minus a small amount lost to fees."
The controversy erupted when CertiK allegedly exploited a vulnerability in Kraken's system, moving nearly $3 million worth of crypto out of their treasury. This action sparked outrage within the crypto community, as it deviated from responsible disclosure practices. Responsible disclosure involves notifying the affected party (Kraken, in this case) about the vulnerability and collaborating to fix it before exploiting it.
CertiK defended their actions by claiming they were acting as a white hat hacker. They asserted that they informed Kraken of the vulnerability details via email and video meetings, and that Kraken confirmed fixing the issue within a short timeframe. Additionally, they claim the funds they withdrew were "created out of thin air" and did not involve any real user assets.
Kraken vehemently disputed CertiK's claims. They stated that CertiK initially downplayed their involvement and that only one individual, presumed to be a CertiK employee, submitted a legitimate bug bounty report for a small amount. Two other accounts associated with CertiK then allegedly exploited the flaw to withdraw the much larger sum of nearly $3 million.
Furthermore, Kraken claims that the initial bug report only mentioned a $4 exploit and did not disclose the full extent of CertiK's activities. They allege that CertiK refused to cooperate fully with the investigation and demanded a specific reward amount before returning the funds.