jakiro
Author: Climber, Bitchain Vision Realm
On June 19, Nick Percoco, Chief Security Officer of Kraken, said that employees of a security company used platform vulnerabilities to withdraw more than $ 3 million digital assets, which is an extortion case in criminal responsibility.
The incident’s spear head pointed directly at the blockchain security agency Certik. The agency replied that the behavior was a white hat hacker action, which aims to help the encrypted trading platform Kraken discover system vulnerabilities to prevent greater losses.The necessary transaction encryption assets generated by the test have also been returned, but the total amount of Kraken is different.
For the dispute between the two parties, there is a point of view that Certik may have the actions of the stolen self -theft, but some people think that Certik is not logical. The black hat and white hat are between the thoughts, and the focus of the problem may be in the number of bounty.
The words against both parties
The cause of the incident was that a security researcher reported to Kraken on June 9 that a security loophole could withdraw the real assets by falsifying deposits.Afterwards, KRAKEN discovered and fixed the vulnerability while noticing that the relevant account address had used the vulnerability to withdraw a large amount of assets.
So on June 19, KRAKEN chief security officer Nick Percoco said that two accounts related to the security researcher had used the vulnerability to withdraw digital assets worth more than $ 3 million.We asked to talk to the company where the other party was, but the other party did not agree to refund any funds.
In view of this, Kraken believes that the behavior is no longer a white hat hacker, but a extortion.
Regarding Kraken’s remarks and community public opinion, Certik repeatedly stated, claiming that he was innocent, and published a post to explain the ins and outs of the incident.
Certik said that there was a series of serious vulnerabilities in Kraken, which may lead to hundreds of millions of dollars in losses.The KRAKEN deposit system cannot effectively distinguish between different internal transfer status, and the risk of malicious actors for falsify deposit transactions and withdraws the risk of fake funds.
During the test, millions of dollars of false funds can be deposited in the Kraken account, and more than $ 1 million of forged cryptocurrencies can be transformed into valid assets, and the Kraken system has not triggered any alarm.After Certik notified Kraken, Kraken classified the vulnerability as “Critical” and preliminated the problem.
>
However, Certik pointed out that the Kraken security team subsequently threatened Certik employees to require repayment of non -matching cryptocurrencies within unreasonable time and did not provide repayment address.In order to protect the security of users, Certik decided to disclose the matter, calling on Kraken to stop any threat to the white hat hacker and emphasize to deal with risks through cooperation.
In addition, Certik also stated that it confirmed that it had returned all the funds held, but the total amount was inconsistent with the Kraken request.The return amount includes 734.19215 ETH, 29,001 USDT, and 1021.1 XMR, while Kraken requests the amount to be returned to 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR.
>
In the latest public reply letter, Certik answered 10 cores of the incident, especially mentioned that they did not participate in the Kraken bounty plan, and all the test deposit addresses have been made public from the beginning.
Community opinions are different
Certik listed the complete event line for the incident, but many communities, including security researcher @tayvano, issued questions.
>
According to Certik, the time they tested and informed Kraken began on June 5.However, @Tayvano not only found that these addresses were found to be large -scale through other trading platforms through the transfer address of the chain, but also the test behavior of KRAKEN’s testing was unfolded as long as it was longer.
Cyversalerts, Cyversalerts, provides @tayvano with three tooth addresses related to the event:
0x3C6A231B1FFFE2AC29AD9C7E392C830295A97bb3 0xdc6AF6FD88075D55FF3C4F2984630C0EA776BC 0x03d23CB3C1F27861FFFFA56D3A56D3A56D3A5 99
>
The above are obvious chain large withdrawal records.@Tayvano also pointed out that after these addresses have extracted a large amount of funds, the maximum value exchange was performed by many times through the instant cryptocurrency exchange platform.
@tayvano said she often saw this model and regarded it as a way to distinguish the victim’s address and hacker address when leaking the chaotic key.
>
@tayvano also found that 0x3C6A231B1FFE2AC29AD9C7E392C830295A97BB3 transferred 154,000 MATIC to CHANGENOW.
>
The inside of Coinbase @JCONORGROGAN said that the address of the relevant personnel transferred 1200 MATIC to TORNADOCASH, which was intended to exchange funds through the mixer.
In addition,@Tayvano also found that CERTIK had been performed by Certik as early as June 5 by comparing the deposit address of Certik security personnel.It said that if we return to Certik’s timeline, the so -called “first round” and “second round” withdrawal is actually not the first round and the second round, more like the seventh round.
In this regard, Meir Dolev, the chief technician of the Security Company Cyvers, also questioned Certik’s discovery of Kraken vulnerabilities, and said that Certik was suspected to have done the same test on OKX and Coinbase.
Meir Dolev quoted the content shared by @tayvano, namely: 0x1d … 7AC9 address created a contract 0x45 … CEA9 on May 24, and carried out related activities.Signature hash.
The suspected of this contract (0x45 … CEA9) on the base also tests the same tests on OKX and Coinbase to determine whether the two exchanges have the same loopholes in Kraken.
Another community member@0xboboshanti also said that a address posted by Certik security researcher on Twitter before was performed as early as May 27.This has contradicts the schedule of Certik’s incident.Certik Tornado TXS has funded a wallet that has recently interacted with the same contract.
Taylor Monahan, CEO and founder of Ethereum Wallet Manager MyCrypto, also analyzed the possibility of the event, saying that Certik should be afraid of Kraken’s lawyer, damage to its reputation, and how this storm may affect Certik’s internal internal internal internal.culture.
She also pointed out that because several encrypted projects of Certik audited have been attacked in the past, it has been circulating on the Internet about guessing the possibility of the operation of internal personnel.
However, some well -known KOL in the industry put forward different views, thinking that Certik is not necessarily a real hacker, and they speculate on the incident.Encrypted researcher @Boxmrchen said that it is not necessarily a hacker to understand Certik, but may want more bounty.He also hopes that Kraken is willing to pay Certik how much white hat bounty. See if it is Certik’s greedy and cunning, or Kraken’s hair.
CryptoinSight researcher Haotian said that Certik did find and reported to Kraken the vulnerability, indicating that the heart thought was not a “hacker” behavior.The two sides are estimated to have not discussed the collaboration between vulnerability bounty and repair vulnerabilities.
summary
For the “dark and deep forest” of the encryption market, it is not surprising that hackers attacking incidents are endless and not surprising, but it is undoubtedly easy to attract criticism with the banner of the “white hat”.Although Certik tried his best to clarify his “justice” help project party behavior, Certik really needs to give a reasonable explanation on the question of the above -mentioned community members.
However, as CERTIK said, Kraken’s deep defense system failed to detect so many test transactions, which may indeed lead to greater risk losses.The two sides should work together to face risks and ensure the future of Web3.
