The Kraken Bug Bounty Saga A Tale of Integrity and Security

Nick Percoco, Chief Security Officer at Krakenfx, has a storied past as a hacker and founder of SpiderLabs, the elite security team at Trustwave. Their focus is on response and investigations, analysis and testing, and research and development. On June 9, 2024, Kraken’s commitment to security was put to the test when they received a bug bounty program alert that could have rocked their platform to its core.

On that fateful day, a security researcher reached out to Kraken, claiming to have found an “extremely critical” bug that allowed them to artificially inflate their balance on the platform. At first glance, this appeared to be another in a long line of fake bug bounty reports that Kraken, like many other organizations, frequently receives. Despite the skepticism, Kraken took the claim seriously and quickly assembled a cross-functional team to investigate the issue.

Within minutes, Kraken’s team identified an isolated bug. Under certain circumstances, this bug allowed a malicious attacker to initiate a deposit and receive funds in their account without fully completing the deposit process. Although no client assets were ever at risk, this vulnerability could have enabled an attacker to print assets in their Kraken account temporarily.

Recognizing the severity of the situation, Kraken’s team triaged the vulnerability as critical. Remarkably, within just 47 minutes, their experts had mitigated the issue. A few hours later, the bug was completely fixed, ensuring it could not reoccur.

The flaw stemmed from a recent UX change designed to credit client accounts promptly before their assets cleared, allowing clients to trade crypto markets in real time. Unfortunately, this change had not been thoroughly tested against this specific attack vector, leading to the vulnerability.

 Exposing the Exploit

 After patching the risk, Kraken’s team conducted a thorough investigation and discovered that three accounts had leveraged the flaw within a few days of each other. One of these accounts was KYC’d to an individual who claimed to be a security researcher. This person had discovered the bug in Kraken’s funding system and used it to credit their account with $4 in crypto. This amount was sufficient to prove the flaw, file a bug bounty report, and collect a sizable reward.

However, instead of following ethical protocols, the researcher disclosed the bug to two associates who fraudulently generated much larger sums. Ultimately, they withdrew nearly $3 million from Kraken’s treasuries—not other client assets. The initial bug bounty report did not fully disclose these transactions, prompting Kraken to contact the researchers for more information to reward them properly.

Kraken requested a full account of the researchers’ activities, a proof of concept used to create the on-chain activity, and the return of the withdrawn funds. This is standard practice for any bug bounty program. However, the researchers refused to comply. Instead, they demanded a call with their business development team and insisted on a speculative payout based on potential damages had they not disclosed the bug. Kraken viewed this as extortion, not white-hat hacking.

Transparency and Accountability

Kraken has run a bug bounty program for nearly ten years, staffed by some of the brightest minds in the security community. The program’s rules are clear:

  1. Do not exploit more than necessary to prove the vulnerability.
  2. Provide a proof of concept.
  3. Return any extracted assets immediately.

Despite these guidelines, the researchers’ actions were unethical and criminal. In the spirit of transparency, Kraken disclosed this bug to the industry, countering accusations of being unreasonable and unprofessional for requesting the return of stolen funds. As Percoco stated, “Ignoring the rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”


Moving Forward

Kraken has chosen not to disclose the identity of the research company involved, as they do not deserve recognition for their actions. Kraken is treating this as a criminal case and coordinating with law enforcement agencies accordingly. While grateful for the bug’s initial report, Kraken draws the line there.

Kraken’s bug bounty program remains a vital shield in their mission to enhance the overall security of the crypto ecosystem. They look forward to continuing their work with good faith actors and view this incident as an isolated experience.

In the world of cybersecurity, integrity and adherence to ethical standards are paramount. Kraken’s response to this incident underscores their commitment to maintaining a secure and trustworthy platform for all their users.

Leave a comment