Blockchain security firm CertiK said it found the vulnerability in Kraken’s deposit system and was transferring funds back to the exchange amid a bug bounty dispute.
Kraken’s Chief Security Officer Nick Percoco disclosed earlier Wednesday that nearly $3 million was taken from its wallets following the bug that let anyone initiate a deposit to the platform and receive the funds without completing it. The vulnerability has since been fixed.
Percoco alleged that three individuals connected to an unnamed research company were behind the withdrawals and had refused to return any funds until Kraken disclosed the potential size of the exploit if they had not reported the bug.
CertiK said the vulnerability meant that millions of dollars could be deposited to any Kraken account, and a “huge amount of fabricated crypto (worth more than 1M+ USD) could be withdrawn from the account and converted into valid cryptos.”
The blockchain security firm claimed no alerts were triggered during its multi-day testing period and that Kraken only responded and locked its test accounts days after its disclosure.
CertiK makes its own allegations
After some initially successful discussions with the crypto exchange on fixing the vulnerability, CertiK alleged Kraken’s security team had “threatened” individual employees to repay a “mismatched” amount of crypto in an “unreasonable” time frame of six hours without providing a repayment address.
The security firm provided a timeline of its own version of events, disclosing its testing deposit transactions — all made using Polygon's MATIC token.
“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access,” CertiK said.
Kraken did not immediately respond to a request for comment.