Kraken claims that it rectified a flaw that would have enabled exploiters to exaggerate account balances.
Kraken has disclosed that its security team has resolved an issue that could have enabled specific users to artificially inflate their account balances on the exchange.
As part of the exchange’s bug bounty program, Kraken disclosed that a security researcher had discovered the vulnerability. This announcement follows:
“A security researcher alerted us to the Bug Bounty program on June 9, 2024.” Kraken chief security officer Nick Percoco initially disclosed no specifics, but their email purported to have discovered an “extremely critical” flaw that enabled them to artificially inflate their balance on our platform.
The exchange stated in a blog post that the vulnerability would have enabled specific users to “artificially increase the value of their Kraken account balance without completely concluding a deposit,” albeit for a brief period.
Kraken has since rectified this defect in its deposit and funding system and has confirmed that it did not affect any customer funds.
Nevertheless, the report was issued after two users had already exploited the vulnerability to withdraw $3 million from their accounts, despite the fact that the exchange has resolved the isolated flaw. The security researcher who identified the flaw and informed Kraken is reportedly associated with these accounts.
After the $3 million withdrawal, the unnamed individual allegedly notified Kraken of the flaw. The security researcher has demanded that they receive his bounty reward, despite the substantial withdrawal, according to Percoco.
“We will not reveal this research firm, as we do not think they are deserving of any praise for what they have done. We are conducting this investigation as a criminal matter and are collaborating with law enforcement agencies in accordance with that classification. Although we are grateful for the report on this issue, that is the extent of our concern,” Percoco concluded.
Wallets