Kraken has recovered $3 million from Certike, ending the bug bounty saga
Cryptocurrency exchange Kraken has found missing funds following a massive bug bounty exploit fiasco.
Kraken has confirmed that nearly $3 million worth of stolen digital assets have been returned, ending the Kraken-certification saga that began on June 9.
The receipt of the funds, minus transaction fees, was confirmed by Kraken's Chief Security Officer Nicholas Percoco in a June 20 X post.
“UPDATE: We can now confirm that the funds have been returned (minus the amount lost in the payment).”
Kraken's CSO first announced the $3 million in missing funds on June 19, claiming that a “security researcher” had fraudulently siphoned them out of the treasury after discovering and sharing an existing bug.
Kraken refused to return the money, claiming it had been stolen by the hacker, claiming the reward and making a call with the exchange's business development team.
Related: Nomura crypto arm laser digital wallets Abu Dhabi license
CertiK's side of the story
Shortly after Kraken posted about the missing funds, blockchain security firm CertiK publicly identified a “security researcher” that Kraken claimed had stolen $3 million in digital assets.
In a June 19 X post, Certike said he was informed of an exploit that allowed Kraken to withdraw millions of dollars from the currency's accounts. CertiK also claimed that the exchange team had received threats:
“After an initial successful change in identifying and remediating the vulnerability, Kraken's security operations team raised the risk of individual CertiK employees making unreasonably large amounts of crypto without even providing a payment address.
The security firm laid out a timeline of events, identifying the exploit on June 5 and claiming that Kraken threatened a Certike employee on June 18. In a statement to Cointelegraph, Certike said it plans to transfer the funds to a Kraken account. He can reach.”
Related: Bitcoin ETFs legitimize the crypto industry for investors – Storm Partners
Why did CertiK cost nearly $3 million?
Kraken claims that Percoco's first malicious transfer, initially valued at $4, was enough to prove the mistake and collect “huge rewards” from Kraken's bounty program.
However, the security researcher, later identified as CertiK, withdrew nearly $3 million into their Kraken account.
Following the return of the $3 million, Certike said in a post that the $1 million was necessary to test the scope of the exchange.
“We want to test the limits of Kraken's security and risk controls. After several tests over several days and nearly $3 million worth of crypto, no alerts have been raised and we still don't know the limit.”
What's more, CertiK didn't ask for a bonus in the beginning, but it was mentioned by the exchange:
“We have never raised any bonus claim. Kraken was the first to tell us about their bounty, but we responded that the bounty wasn't a top priority and wanted to make sure it was addressed.
Certike added that no Kraken user funds were at risk because the exploited funds “came out of thin air.”
Magazine: Ethereum's Latest Comeback May Be Gift: Dynamo DeFi, X Hall of Flame
