Kraken chief security reveals UX change resulted in $3m bug exploit
Kraken’s chief security officer disclosed that a bug in the exchange’s funding system led to a $3 million loss after being exploited by rogue security researchers.
American crypto exchange Kraken lost around $3 million worth of crypto in early June after a rogue “security researcher” exploited a bug in the exchange’s funding system. Kraken’s chief security officer Nick Percoco disclosed the incident in an X thread, emphasizing the breach of ethical standards by the individuals involved.
As per Percoco, the team first received a notification from a “security researcher” about a potential bug on Jun. 9. Later on, the team found a “flaw deriving from a recent UX change” that would allow credit client accounts before their assets cleared, enabling clients to effectively trade crypto markets in real-time. The Kraken CSO admitted the exchange didn’t test the UX change against that specific attack vector prior to the attack.
“This UX change was not thoroughly tested against this specific attack vector,” Percoco wrote.
After patching the vulnerability, Kraken discovered that three accounts had earlier exploited the same flaw within a few days of each other. Instead of reporting the bug directly, the security researcher allegedly shared the information with two associates, Percoco said, adding that the unknown individuals ultimately withdrew nearly $3 million from Kraken’s treasuries.
Percoco pointed out that the initial report from the “security researcher” didn’t fully disclose the bug, so the team had to re-confirm some details to progress with rewarding them for successfully identifying a security flaw.
Kraken requested a full account of their activities, a proof of concept, and the return of the withdrawn funds. However, the individuals refused to comply, which Percoco described as “not white-hat hacking” but rather “extortion.” It remains unclear whether Kraken identified all the attackers or managed to recover the stolen funds.