Kraken fixes “an isolated bug” saying no user funds were stolen.
Kraken says it has posted a bug that could allow exploiters to inflate account balances.
A bug discovered by a security researcher, the linked accounts exploited the vulnerability and reportedly took $3 million from Kraken's coffers.
Kraken announced that its security team had patched a bug that allowed some users to increase their account balance on the exchange.
The announcement follows Kraken's revelation that security researchers identified the vulnerability as part of the exchange's bug bounty program.
On June 9, 2024, we received a bug bounty program alert from a security researcher. Nothing specific was disclosed at first, but their email said they found a “critical” bug that allowed them to artificially inflate their balance on our platform, Kraken security chief Nick Percoco posted on X.
$3 million was stolen, not user funds.
In particular, the flaw allows some users, albeit for a short time, to “increase the value of their Kraken account without fully completing any deposits,” the exchange said in a blog post.
Kraken has since fixed this bug in its deposit and withdrawal systems and says it has not affected any customer funds.
However, while the exchange fixed the isolated bug, the report came after two users exploited the vulnerability to withdraw $3 million from their accounts. These accounts are said to be linked to a security researcher who discovered the bug and notified Kraken.
Reportedly, the unnamed individual reported the error to Kraken after withdrawing $3 million.
According to Percoco, despite the high withdrawals, the security researcher asked to receive the bonus prize.
“We are not going public with this research company because they are not recognized for their actions. We are treating this as a criminal matter and are coordinating with law enforcement agencies accordingly. We appreciate this matter being reported, but that's where the thinking ends,” Percoco added.