QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$3 000 000 USD
JUNE 2024
UNITED STATES
KRAKEN
DESCRIPTION OF EVENTS

"a flaw deriving from a recent UX change that would promptly credit client accounts before their assets cleared - allowing clients to effectively trade crypto markets in real time. This UX change was not thoroughly tested against this specific attack vector."
""Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal transfer statuses, we conducted a thorough investigation with three key questions:
1/ Can a malicious actor fabricate a deposit transaction to a Kraken account? 2/ Can a malicious actor withdraw fabricated funds? 3/ What risk controls and asset protection might be triggered by a large withdrawal request?
According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.
Upon discovery, we informed Kraken, whose security team classified it as Critical: the most serious classification level at Kraken."
After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.
In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users' security. We urge @krakenfx to cease any threats against whitehat hackers."
"Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal transfer statuses, we conducted a thorough investigation with three key questions:
1/ Can a malicious actor fabricate a deposit transaction to a Kraken account? 2/ Can a malicious actor withdraw fabricated funds? 3/ What risk controls and asset protection might be triggered by a large withdrawal request?
According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.
Upon discovery, we informed Kraken, whose security team classified it as Critical: the most serious classification level at Kraken."
After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.
In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users' security. We urge @krakenfx to cease any threats against whitehat hackers."
"Ultimately, the exploitation of a vulnerability in Kraken's systems enabled the withdrawal of over $3 million dollars from Kraken's corporate wallets over a five-day period by abusing the same flaw.
CertiK claims that the transactions were merely testing deposit transactions, with millions being withdrawn from the system for testing purposes.
Certik asserted that millions of dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.
Notably, they underlined that despite numerous fabricated tokens being generated and exchanged for valid cryptocurrencies over several days, no risk control or prevention measures were enacted until CertiK brought the issue to light.
When Kraken requested that the illegally obtained funds be returned per its bug bounty policy, the researchers refused and instead demanded a speculative ransom payment based on hypothetical maximum losses.
This $3 million exploit formed the basis of Kraken's claim of extortion by bad actors.
However, CertiK alleges this demand was in response to Kraken's own threats after CertiK reported even more severe vulnerabilities.
It should be worthy to note, according to Kraken’s Bug Bounty page, the max pay out for a Critical severity is capped at $1.5 million."
CertiK identified a critical flaw in Kraken's deposit system allowing immediate crediting of client accounts before verifying cleared assets, enabling real-time crypto market trading. The vulnerability led to over $3 million being withdrawn from Kraken's corporate wallets through exploit testing. The exchange failed tests where malicious actors could fabricate deposits and withdraw millions of dollars, converting them into valid cryptocurrencies without triggering alerts. Kraken acknowledged the severity and locked test accounts days after notification. Following fixes, Kraken requested return of funds under its bug bounty. Kraken's security team allegedly threatened CertiK employees regarding crypto repayment without clear instructions. CertiK went public to ensure transparency, urging Kraken to halt threats against ethical hackers. Both Kraken and CertiK claiming no user assets were involved.
Rekt - Certik/Kraken - Rekt (Jun 20)
@c7five Twitter (Jun 20)
Polygon PoS Chain Transaction Hash (Txhash) Details | PolygonScan
(Jun 20)
Polygon PoS Chain Transaction Hash (Txhash) Details | PolygonScan
(Jun 20)
@CertiK Twitter (Jun 20)
@ImmutableLawyer Twitter (Jun 20)
@CertiK Twitter (Jun 20)
