Lessons learned from CertiK’s debate with Kraken

Lessons learned from CertiK's debate with Kraken



White hat hacking or ethical hacking is an important part of cyber security. It's hacking that allows the “good guys” to defragment applications, report security vulnerabilities to vendors, and use that information to improve the ecosystem's security posture.

This is not a unique concept in blockchain. It exists in areas including cloud, artificial intelligence, operating system security and more. However, in all cases, vendors and security researchers have formed a delicate but powerful relationship based on a scaled trust function.

In the blockchain space, auditors such as Trail of Bits, Halborn, and Open Zeppelin have been researching and debugging various smart contracts for years and have been working with high professionalism, building a strong sense of trust.

CertiK and Kraken dispute

On May 17, CertK researchers discovered a vulnerability in the Kraken digital asset exchange's balance calculation and deposit method. The Kraken Security team correctly identified this as a critical issue and reported that it was resolved in 47 minutes.

Related: Incentive Networks Could Save Millions in AI Computational Costs

While seemingly innocent at first, this type of vulnerability allows attackers to “double spend.” After updating their balance on the exchange by mistake, they turn around and withdraw the same amount. This action removes the money from the currency's main treasury wallet (which is what most centralized exchanges use to manage custodial funds, similar to banks).

CertiK also published a list of fraudulent deposit transactions, exploiting the vulnerability at least 20 times over five days, saying it was testing Kraken's detection methods.

After obtaining proof of work, CertK researchers should have immediately reported the issue to Kraken and stopped further exploits of the vulnerability. However, since the event, all funds taken during this so-called “experiment” have been returned to Kraken, except for a small amount lost in fees.

A framework for ethical hacking

White hat hacking is delicate.

The goal is to increase application security, ensure trust and transparency without threatening the provider's business.

However, the bottom line is that white hat hackers are often PR-driven and with ulterior motives, aiming for the boldest headline. For example, “CertiK was able to take $3 million from Kraken without anyone knowing” is a more interesting headline than “Researchers found a critical bug in Kraken and saved millions of dollars.”

Related: Blockchain Has a Role in Preventing the Bad Effects of AI

This is where the tension runs high. Ethicists are expected to report their findings as quickly as possible and have a rigorous proof-of-concept so that the provider's business is not disrupted. The only exception is when the vendor invites an entrance exam from the researchers, in which case they agree on the scope of the exam and the code of conduct.

Unfortunately, this was not the case as the “unsolicited” penetration test continued for four days after Certike's successful proof-of-concept. CertiK should have returned the money before or at the time of the first report. Such a large amount of money should not be taken from Kraken's treasury or any other currency.

Where trust finds its place

As an industry, we need to stick together and look out for each other, even if a damaging topic brings a competitive business.

Our industry faces a large number of malicious hackers to combat. Fortunately, even after such disappointing developments, innovation is constantly moving forward and we continue to improve security products and practices. On the industry side, collaboration, close and valuable information sharing between competitors is critical because ultimately security is a team sport.

We can only move forward as an industry if there is trust between all the “good guys”. In fact, it shouldn't be “us” versus “them” – we are all working for the common good and we should keep that in mind above all else.

Shahar Madar is Vice President of Security and Trusted Products at Fireblocks. It specializes in building security, identity, compliance and governance solutions for the needs of large enterprises and leading brands. He is also the Vice Chair of Crypto ISAC, a non-profit organization dedicated to advancing security initiatives around the crypto ecosystem.

This article is not intended for general information purposes and should not be construed as legal or investment advice. The views, ideas and opinions expressed herein are solely those of the author and do not necessarily represent the views and opinions of Cointelegraph.



Leave a Reply

Pin It on Pinterest