Key Takeaways:
- Critical bug enabled users to create artificial funds.
- Bug originated from new platform feature in January, unnoticed for months.
- Researchers exploited the bug, withdrawing almost $3 million before reporting.
LUCKNOW (CoinChapter.com) — Crypto exchange Kraken recently patched a critical bug that enabled some users to generate artificial funds within their accounts over several months. Its security team discovered the bug on June 9 after receiving a bug bounty report, noting that it allowed users to initiate deposits and have the funds credited before the actual completion takes place.
According to Kraken’s Chief Security Officer Nick Percoco, the vulnerability allowed “a malicious attacker to effectively print assets in their account for a period of time.” No nefarious actors appeared to exploit the bug. However, a few security researchers did take advantage after one of them initially reported the issue through a bug bounty program.
Kraken Bug Allowed Unlimited Money Printing
The now-patched bug originated in January when a new feature went live on Kraken’s platform. As Kraken’s communications lead Alexander Cassells explained, “The feature in question became present on the platform in January.”
It enabled a troubling scenario where users could start depositing funds to Kraken and have those funds credited to their accounts before the finalized transaction. In the window before finalization, users could artificially inflate their balance by canceling the pending deposits after the funds were already credited.
This isn’t the first time a crypto exchange has fallen victim to such an exploit. In 2020, a software glitch at Canadian crypto exchange CoinBerry enabled over 500 users to steal $3 million in Bitcoin by abusing instant e-transfers before canceling the deposits.
Three Researchers Printed $3 Million Before Patching
In Kraken’s case, the vulnerability went unnoticed for months. However, a security researcher submitted a bug bounty report on June 9 detailing “an extremely critical bug.” Kraken’s team rapidly patched the issue within hours after investigating.
The researcher who reported it, along with two others, had already withdrawn almost $3 million fraudulently from Kraken’s treasury. The first researcher only credited $4 to test the vulnerability, but the other two drained far more significant sums.
Kraken is now treating this as a criminal matter and cooperating with law enforcement agencies. The two researchers are refusing to return the exploited funds until they determine how much Kraken could have lost had they not helped identify the bug.
While certainly a concerning lapse, Kraken reacted swiftly to resolve the issue once notified through its bug bounty program. The exchange is already facing scrutiny from the U.S. Securities and Exchange Commission over alleged security law violations.
