Major cryptocurrency exchange Kraken has discovered a critical error that effectively allowed free money to be printed.
Major cryptocurrency exchange Kraken has discovered a critical error that effectively allowed free money to be printed.
Despite the severity of the error, the exchange says that no client’s assets were actually at risk.
A security researcher notified the global cryptocurrency trading platform of the vulnerability via email.
Despite routinely dealing with false bug bounty reports, the exchange says it treated that particular alert seriously, and its team quickly investigated the issue.
The Kraken team ended up discovering a bug that allowed criminals to initiate a deposit on Kraken and receive funds into their account without completing the deposit.
A bad actor could print assets out of thin air on Kraken, according to Nick Percoco, chief security officer at Kraken. This was due to a recent change to the user experience that would credit accounts before their assets were liquidated.
Money printing spree
According to Percoco, a total of three accounts managed to take advantage of the bug. One of them was the security researcher who originally discovered the bug and generated $4 in cryptocurrency to test it. However, instead of reporting the bug and collecting a bounty from Kraken, the investigation revealed the bug to the other two people, who printed millions of dollars in cryptocurrency and withdrew $3 million from Kraken treasuries.
“The initial Bug Bounty report did not fully reveal the information of this transaction, so we contacted security researchers to confirm some details and advance the reward for successfully identifying a security flaw on our platform,” Percoco added.
“It’s extortion”
Security researchers refused to return the money they had withdrawn after being contacted by the Kraken team. Instead, they demanded a call to their sales representatives and a speculative sum of money that could have caused this error.
Kraken accused the security company of “extortion” and added that it is treating this as a criminal case.
“We will not reveal this investigative company because they do not deserve credit for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly,” Percoco added.