White hat hacking, or ethical hacking, is a crucial component of cybersecurity. It’s hacking that allows “good guys” to dissect applications, report security vulnerabilities to vendors, and use the information to improve the ecosystem's security posture. 

This is not a unique concept in blockchain. it exists in places including the cloud, artificial intelligence, operating system security and more. However, in all cases, vendors and security researchers have created a delicate but powerful relationship based on the balancing act of trust.

In the blockchain space, auditors such as Trail of Bits, Halborn, and Open Zeppelin have been analyzing and repairing various smart contracts for years and have operated with utmost professionalism, building a strong sense of trust.

CertiK and Kraken’s dispute

On May 17, researchers from CertiK discovered a vulnerability in Kraken’s Digital Asset Exchange balance calculation and deposit mechanism. The Kraken Security Team rightly defined this as a critical issue and reported it resolved within 47 minutes.

While seemingly innocent at first, this type of vulnerability allows attackers to “double spend,” meaning they have the ability to fake a deposit into the exchange. Once their balance on the exchange mistakenly updates, they then turn around and withdraw the same amount. This act removes money from the exchange’s main treasury wallet (which is what the majority of centralized exchanges use to manage custodial funds, similar to banks).

CertiK also published the list of fake deposit transactions, exploiting the vulnerability at least 20 times over five days, while claiming they were only testing Kraken’s detection mechanisms.

After having a working proof-of-concept, CertiK researchers should have reported the issue immediately to Kraken and halted any further exploitation of the vulnerability. Nonetheless, since the incident, all funds taken during this so-called "testing" have been returned to Kraken, aside from a small amount that was lost in fees.

A framework for ethical hackin

White hat hacking is delicate.

The goal is to enhance application security, ensuring trust and transparency without jeopardizing the vendor’s business.

However, the underlying truth is that white hat hackers are oftentimes PR-driven and, with the wrong motives, will aim for the boldest headline. For example, “CertiK managed to take $3 million from Kraken without anyone noticing” is a much more intriguing headline than “Researchers found a critical bug in Kraken and saved millions of dollars.”

This is where tension becomes high. Ethical researchers are expected to report their findings as soon as possible and have the leanest proof-of-concept so that the vendor’s business is not disrupted. The only exception is when the vendor invites penetration testing from the researchers, in which case they would have agreed on the scope of the testing and code of conduct.

Unfortunately, this was not the case here as the “unsolicited” penetration testing continued for four days after CertiK made a successful proof-of-concept. CertiK should have returned the funds before or at the time of the initial reporting. Such a large amount of funds should never have been taken from Kraken’s treasury or any other exchange.

Where trust finds a place

As an industry, we should stick together and look out for one another, no matter the attention that a damaging headline would bring to a competing business.

Our industry is faced with a high number of bad hackers to fight. Fortunately, even after disappointing developments like this, we are continuing to improve security products and practices, while innovation is steadily moving forward. Industry-side collaboration, where intimate and valuable information is shared between competitors is crucial because, in the end, security is a team sport.

We can only move forward as an industry if there is trust between all the “good guys.” In fact, it shouldn’t be "us" versus "them" — we are all working towards a common good and we have to keep that in mind first and foremost.

Shahar Madar is the vice president of security and trust Products at Fireblocks. He specializes in building security, identity, compliance, and governance solutions for the needs of large enterprises and prominent brands. He’s also the vice chairman of Crypto ISAC, the not-for-profit association of organizations dedicated to advancing security initiatives across the crypto ecosystem.