• Kraken says it patched a bug that might have allowed exploiters to inflate account balances
• Bug found by a safety researcher, whose related accounts reportedly siphoned $3 million from Kraken treasury by exploiting the vulnerability.

Kraken has introduced that its safety crew has patched a bug that might have allowed sure customers to probably inflate their account balances on the trade.

The announcement follows Kraken’s revelation {that a} safety researcher had recognized the vulnerability as a part of the trade’s bug bounty program.

“On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their steadiness on our platform,” Kraken chief safety officer Nick Percoco posted on X.

$3 million stolen, not person funds

Particularly, the flaw would have allowed sure customers, albeit a brief time period, to “artificially increase the value of their Kraken account balance without fully completing a deposit,” the trade stated in a weblog publish.

Kraken has since patched this bug in its deposit and funding system and famous that it didn’t impression any buyer funds.

Nonetheless, whereas the trade has fastened the remoted bug, the report got here after two customers had already exploited the vulnerability to withdraw $3 million from their accounts. These accounts are reportedly associated to the identical safety researcher that recognized the bug and knowledgeable Kraken.

Allegedly, the unnamed particular person knowledgeable Kraken of the bug after the $3 million withdrawal.

In keeping with Percoco, regardless of the massive withdrawal, the safety researcher has demanded that they get his bounty reward.

“We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends,” Percoco added.