Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses

Kraken Accuses Blockchain Security Outfit CertiK of Extortion (theregister.com) 14

Kraken, one of the largest cryptocurrency exchanges in the world, has accused a trio of security researchers of discovering a critical bug, expoliting it to steal millions in digital cash, then using stolen funds to extort the exchange for more. The Register: The exchange wrote about the issue yesterday, saying the exploit allowed some users "to artificially increase the value of their Kraken account balance without fully completing a deposit." Kraken chief security officer Nicholas Percoco said on X that the researchers didn't provide any details in their bug bounty report, but that his team discovered the bug within an hour. According to Percoco, the issue derived from a recent UX change that would credit client accounts before assets actually cleared to create an artificial sense of real-time cryptocurrency trades. "This UX change was not thoroughly tested against this specific attack vector," Percoco admitted on X.

imply reporting the bug would have been enough for a sizable bounty, Percoco added. The researcher who disclosed the vulnerability, who Kraken didn't name "because they didn't comply with any [bug bounty] industry expectations," didn't stop there, however. According to Percoco, the analyst behind the find shared it with a couple of coworkers, who then exploited the vulnerability to withdraw nearly $3 million from the platform. Kraken noted that the funds stolen in this way were from the Kraken treasury and weren't client assets.

This discussion has been archived. No new comments can be posted.

Kraken Accuses Blockchain Security Outfit CertiK of Extortion

Comments Filter:
  • Funny, when you think about it.

  • Is that often they are very specific about what bugs apply and how much a bounty is worth under a specific condition. Often however a bug is in a place or revealed by a set of actions either no one thought of or in a place no one feels responsible for. Such bugs can be devastating like the one in the article but they often don't actually lead to a bounty being paid out. This can result in the finder of the bug saying F#$K it and revealing the bug or worse selling it to someone who will pay.
  • I suspect alot of crypto exchanges are thinking mostly about the fun stuff, the magic of technology, the dream... not ugh.Secruity ?

    https://www.web3isgoinggreat.com/

    according to them, this year's total cyrpto crime totals, just to june, 74 billion dollars (USD presumably) ... still six months to go for 1 full year... wow... heyyy crypto exchanges are a pretty decent plump target if you're into hacking into them. So the servers are where the real clever people would focus. but also I've read about wallet dra
    • For someone to protect crypto stuff, going with a custodial wallet is folly. We don't have insured wallet private key holders. We have physical safes that, if opened, are insured up to a high amount, but none of that is for anything cryptocurrency related.

      At best, one can pack their own parachute. I'd look at buying at least two Trezor or Ledger hardware wallets, making darn sure that the recovery key, the BIP-39 key works, and is not just written down, but stored on a steel wallet, to ensure recovery if

      • Fully agree on "going with a custodial wallet is folly".
        Terms of service on the exchanges basically means you don't own your coins. Afaik, they are modeled on banks. Newsflash: when you deposit money in a bank, you don't own it anymore, but have (limited) rights to withdraw.
        Also, once you provide KYC at an exchange, any semblance of privacy is gone.

        Also agree that writing down recovery phrase isn't enough. Exactly like in computer operations... If you don't test recovery, you have a serious risk.

        However, an
        • What someone could do is get a Raspberry Pi, download a regular distribution, enable ufw, fa-policy, and other items, then as mentioned by the parent poster, have an open source wallet, perhaps on a hardware encrypted SSD like something from Apricorn or iStorage, coupled with LUKS [1]. This should go a long way, assuming the wallet hasn't been compromised, to ensure things are secure. This might be a way to go for a lot of people.

          Of course, maintaining copies of the BIP-39 recovery phrase go without sayin

          • Ok, some good points there.. I'm taking notes...
            So... I havent been able to determine if DM-crypt is LUKS, similar to LUKS, or which one is better/stronger? any ideas on that?
            I've been using DM-crypt when I setup new boxes, it's what the (Devian) installer throws at you during installation.

            and this "steel wallet" idea... you're saying... engrave the recovery phrase on something steel that could survive a fire?

            For sure the recovery has to be tested.. I'm old enought to know!.. But I've also read sooo many st
            • dm-crypt is a device mapper which uses LUKS, technically LUKS2. You use LUKS through its cryptsetup tool. It works, and it works well enough.

              Add dm-integrity with sha256, and this gives LUKS authenticated encryption, where if data is tampered with, either due to bit-rot or by a malicious party, it will be detected.

              The steel wallet is for exactly that -- something that can survive a fire, but yet be readable.

              I have had and heard of many horror stories about backups. One of which was backing up to a tape d

  • Comment removed based on user account deletion

You know you've landed gear-up when it takes full power to taxi.

Working...