- Kraken says it patched a bug that may have allowed exploiters to inflate account balances
- Bug found by a safety researcher, whose related accounts reportedly siphoned $3 million from Kraken treasury by exploiting the vulnerability.
Kraken has introduced that its safety staff has patched a bug that may have allowed sure customers to doubtlessly inflate their account balances on the alternate.
The announcement follows Kraken’s revelation {that a} safety researcher had recognized the vulnerability as a part of the alternate’s bug bounty program.
“On June 9 2024, we acquired a Bug Bounty program alert from a safety researcher. No specifics have been initially disclosed, however their electronic mail claimed to seek out an “extraordinarily vital” bug that allowed them to artificially inflate their steadiness on our platform,” Kraken chief safety officer Nick Percoco posted on X.
$3 million stolen, not consumer funds
Particularly, the flaw would have allowed sure customers, albeit a brief time period, to “artificially enhance the worth of their Kraken account steadiness with out absolutely finishing a deposit,” the alternate mentioned in a weblog publish.
Kraken has since patched this bug in its deposit and funding system and famous that it didn’t impression any buyer funds.
Nonetheless, whereas the alternate has mounted the remoted bug, the report got here after two customers had already exploited the vulnerability to withdraw $3 million from their accounts. These accounts are reportedly associated to the identical safety researcher that recognized the bug and knowledgeable Kraken.
Allegedly, the unnamed particular person knowledgeable Kraken of the bug after the $3 million withdrawal.
In line with Percoco, regardless of the massive withdrawal, the safety researcher has demanded that they get his bounty reward.
“We’ll not disclose this analysis firm as a result of they don’t deserve recognition for his or her actions. We’re treating this as a felony case and are coordinating with regulation enforcement companies accordingly. We’re grateful this situation was reported, however that’s the place that thought ends,” Percoco added.
