DeFi
“It’s so stupid” – DL News
- Kraken CSO accused CertiK of extortion.
- CertiK said Kraken threatened its employees.
- Security researchers question CertiK’s actions.
When crypto auditor CertiK announced on Wednesday that its employees had discovered and exploited a $3 million bug in US crypto exchange Kraken, eyebrows were raised.
When CertiK later said it had returned the funds to the US exchange in a so-called white hat transaction, the company was hit by Kraken’s dissent.
“It’s not hacking, it’s extortion!” » Nick Percoco, head of security at Kraken, said in a statement Message Wednesday.
Percoco said those who found the bug said they would not return any funds until Kraken reveals the extent of the damage it may have caused.
CertiK was quick to respond to Kraken’s statements. “They publicly accused us of theft and even directly threatened our employees, which is completely unacceptable. »
The unusual duration – and colossal $3 million – of CertiK’s exploit prompted a series of questions. Usually, whitehat testing of cyber defenses charges a minimal amount of money just to demonstrate the vulnerability.
“That’s an incredible amount of money to take for the sake of a Whitehat exploit,” said Michael Lewellen, head of solutions at rival auditing firm OpenZeppelin. DL News.
Lewellen said security researchers have been fired for this type of behavior.
Join the community to receive our latest stories and updates
“If a security researcher from another reputable auditing firm committed this kind of exploit, they would be immediately fired and disavowed,” he said.
“You never steal funds from a client unless there is immediate danger and you don’t have time to alert a team and even then you are taking a significant risk that many audit firms prefer not to take for these reasons.”
“As soon as you discover something is wrong, you need to ensure user safety. »
— Pascal Caversaccio, security researcher
Pascal Caversaccio, an independent security researcher, said it was strange that the CertiK test of the Kraken system took several days. This should have been resolved within minutes.
“As soon as you find out something is wrong, you have to take care of user safety,” he said. DL News. “It’s so stupid. Not only from a security perspective, but also from a business perspective.
There are other anomalies.
Onchain records show that an address linked to CertiK funds sent to the DeFi Tornado Cash protocol, which has been sanctioned by the US Treasury Department’s Office of Foreign Assets Control, or OFAC.
Tornado Cash Angle
Although CertiK returned assets to Kraken, sending any via Tornado Cash could violate US sanctions. According to OFAC websitepenalties can exceed several million dollars.
Lewellen said it was strange to use Tornado Cash for the Whitehat hack.
“I have never heard of a Whitehat using Tornado Cash, especially given the risk of sanctions,” he said. “Typically, you don’t use Tornado Cash after sanctions unless you are already committing a crime and the risk of violating sanctions is offset.”
Other parts of the funds withdrawn by CertiK from Kraken were sent to ChangeNOW, a crypto exchange that does not require KYC verification. CertiK also exchanged the USDT stablecoins it withdrew from Kraken for ETH.
“If you’re a white hat, you don’t do this,” crypto security expert Taylor Monahan said. said on X.
CertiK did not immediately respond to a request for comment and has not publicly addressed these transactions.
Tim Craig is a DeFi correspondent at DL News. Do you have any advice? Send him an email to tim@dlnews.com.