Kraken, a popular cryptocurrency exchange, has recently fixed a critical bug that allowed certain users to generate artificial funds within their accounts over an extended period. The bug was discovered by Kraken’s security team on June 9 after receiving a bug bounty report. It was found that the bug allowed users to initiate deposits and have the funds credited before the actual transaction was completed.
According to Nick Percoco, Kraken’s Chief Security Officer, the vulnerability allowed malicious attackers to effectively create assets in their accounts for a certain period. While no nefarious actors took advantage of the bug, a few security researchers did exploit it after one of them reported the issue through the bug bounty program.
The bug originated in January when a new feature was introduced on Kraken’s platform. This feature allowed users to deposit funds and have them credited to their accounts before the transaction was finalized. During the window before finalization, users could inflate their balance by canceling the pending deposits after the funds were already credited.
This is not the first time a crypto exchange has experienced such an exploit. In 2020, a software glitch at CoinBerry, a Canadian crypto exchange, enabled over 500 users to steal $3 million in Bitcoin by abusing instant e-transfers and canceling the deposits.
The vulnerability on Kraken went unnoticed for several months until a security researcher submitted a bug bounty report on June 9, highlighting the extremely critical nature of the bug. Kraken’s team promptly patched the issue within a few hours of investigation.
The researcher who initially reported the bug, along with two others, had fraudulently withdrawn almost $3 million from Kraken’s treasury. While the first researcher only tested the vulnerability with a $4 credit, the other two took out significantly larger sums.
Kraken is now treating this as a criminal matter and is cooperating with law enforcement agencies. The two researchers are refusing to return the exploited funds until it is determined how much Kraken could have lost if the bug had not been identified.
Despite this concerning lapse in security, Kraken responded swiftly to resolve the issue once notified through its bug bounty program. The exchange is already under scrutiny from the U.S. Securities and Exchange Commission for alleged violations of security laws.
