Inside Kraken’s 47-minute scramble to patch a $3m bug — and fend off an unexpected hacker
When Nick Percoco, Kraken’s chief security officer, learned the exchange had been hacked for $3 million last month, he was flying at 40,000 feet on his way to a well-earned holiday.
But instead of unwinding in Japan, Percoco had to jump into the breach and help manage one of the worst security crises to strike the world’s seventh-biggest crypto exchange.
”I just happened to get Wi-Fi access on the flight,” Percoco told DL News. “I was doing some last-minute communication with people at work, reading news, on Twitter. And saw that, and then directed them to the bug bounty.”
On June 19, Kraken revealed that an independent security researcher reported a critical vulnerability to the exchange’s bug bounty program.
These programs offer attackers money in return for identifying vulnerabilities in projects.
This particular weakness allowed the researcher to credit their Kraken accounts with money at will. The sleuth worked for CertiK, the security and crypto auditing firm, which said it identified this vulnerability.
Over the course of five days, CertiK withdrew $3 million in cryptocurrencies from the exchange, Percoco said.
This is highly unusual. Security firms are not supposed to exploit a vulnerability for so long and for so much money, Percoco said.
The funds were eventually returned, and the bug was fixed in 47 minutes. Still, it was a startling episode, even by crypto standards.
It was a massive breach of one of the most established exchanges in the industry. Founded in 2011, Kraken’s rise has been synonymous with the institutionalisation of Bitcoin.
In January, 11 different spot Bitcoin ETFs were approved. Months later, Kraken is raising funds ahead of a possible initial public offering.
The exploit was also bizarre. CertiK, a business built on securing code for crypto, appeared to break almost every industry standard regarding bug bounties. They even attempted to set up a sales call with Kraken’s security team throughout the debacle.
CertiK did not immediately respond to DL News’ request for comment.
In a tweet, Percoco said CertiK was extorting the exchange rather than white-hat hacking.
Ground rules
Bug bounty programs are common in the crypto and tech industries.
Any crypto project worth its code sets aside cash for several audits of its smart contracts and another amount to reward crafty — but ethical — hackers who identify a bug.
Last month, one researcher earned $2 million for identifying a bug on the layer 1 network Sei. Kraken pays up to $1.5 million for critical bugs like the one that happened recently.
Percoco, a security researcher since the late ‘90s, says Kraken’s program has existed for a decade. Its inbox gets filled with fake exploits from people looking for a quick payout.
He even thought CertiK’s report was fake.
“The reach-out was ‘you need to contact us as soon as possible,’ and there was no contact information. I couldn’t even direct message,” he said. “It was a little bit questionable whether this was someone just trying to scam us.”
Red flags
Still, the five-person team that monitors that inbox day and night must comb through every report. With Kraken generating more than $1 billion in daily trading volume, there’s a lot at stake.
The lack of contact information wasn’t the only red flag, said Percoco.
Bounty collectors need to follow four rules for reporting bugs. First, they must report the bug to the company as soon as they identify it.
Second, bounty collectors must prove that they can exploit the bug. Third, when providing proof, they must only take enough money to prove the vulnerability.
And finally, they have to engage the company to retest the exploit and see if the company managed to fix it.
CertiK took a different approach, breaking all four rules, according to Percoco.
Crypto growing pains
With BlackRock and Fidelity pouring into the space, security and bug bounties are in the spotlight. But unlike other industries, where best practices last years, in crypto they may only last a few days.
Firms are still pouring money into bug bounty programs despite the latest incident.
According to bug bounty platform HackerOne, crypto exchange Crypto.com offers $80,000 for a critical bug. Custody service Fireblocks gives a whopping $250,000 bounty for similar vulnerabilities.
Even publicly listed Coinbase will pay $1 million, if you can crack into the exchange.
Bug bounties are expensive and sometimes clunky safety nets, but with $664 million already stolen this year, they’re still clearly necessary.
Liam Kelly is a DeFi correspondent at DL News. Reach out at [email protected].
