- Kraken says it patched a bug that would have allowed exploiters to inflate account balances
- Bug discovered by a security researcher, whose connected accounts reportedly siphoned $3 million from Kraken treasury by exploiting the vulnerability.
Kraken has announced that its security team has patched a bug that would have allowed certain users to potentially inflate their account balances on the exchange.
The announcement follows Kraken’s revelation that a security researcher had identified the vulnerability as part of the exchange’s bug bounty program.
“On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform,” Kraken chief security officer Nick Percoco posted on X.
$3 million stolen, not user funds
Specifically, the flaw would have allowed certain users, albeit a short period of time, to “artificially increase the value of their Kraken account balance without fully completing a deposit,” the exchange said in a blog post.
Kraken has since patched this bug in its deposit and funding system and noted that it did not impact any customer funds.
However, while the exchange has fixed the isolated bug, the report came after two users had already exploited the vulnerability to withdraw $3 million from their accounts. These accounts are reportedly related to the same security researcher that identified the bug and informed Kraken.
Allegedly, the unnamed individual informed Kraken of the bug after the $3 million withdrawal.
According to Percoco, despite the huge withdrawal, the security researcher has demanded that they get his bounty reward.
“We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends,” Percoco added.