CertiK employees accused of "extorting Kraken", is the former security unicorn now only "slandered"?

24-06-20 12:41
Read this article in 21 Minutes
总结 AI summary
View the summary 收起

Last night, cryptocurrency exchange Kraken and blockchain security firm CertiK had a public standoff on social media over a series of serious security vulnerabilities.

Initially, CertiK discovered a series of serious vulnerabilities at Kraken, which stemmed from a recent change in Kraken’s user experience (UX), which immediately credits customer accounts before their assets are settled and allows customers to trade cryptocurrency markets in real time, and Kraken has not yet fully tested this specific attack vector.

In short, the vulnerability allows a malicious attacker to initiate a deposit operation and receive funds in their account without fully completing the deposit.

After Kraken examined the vulnerability, it was immediately assessed as "critical" and mitigated by Kraken's team of experts 47 minutes later. Subsequently, Kraken Chief Security Officer Nick Percoco stated that the issue was fully fixed and will not occur again.

Timeline of events, source: CertiK official X

However, something interesting happened. Nick Percocopointed out that CertiK had taken nearly $3 million from Kraken during this "security check", and CertiK firmly denied it. But half a day after the incident, CertiK said that it had returned the funds involved, and the total amount of funds was indeed around $3 million, but the specific tokens did not match what Kraken claimed.

White hat behavior or blackmail?

In Kraken's subsequent investigation, it was found that three accounts had exploited the vulnerability within a few days, one of which was linked to a CertiK staff member through identity authentication (KYC), who used the vulnerability to increase his account balance by $4.

In theory, the generation of $4 is enough to prove the existence of the vulnerability, and the vulnerability was assessed as "critical" by Kraken, which means that as long as the generated $4 is returned, a bounty of $1 million to $1.5 million can be applied to Kraken.

Bounties from Kraken’s bug bounty program. Source: Kraken

However, the “security researcher” chose to disclose the vulnerability to two other people he was working with, who used it to generate larger amounts of funds, ultimately withdrawing nearly $3 million from their Kraken accounts.

When Kraken asked CertiK to provide a detailed description of the activity, create a proof-of-concept of the on-chain activity, and arrange to return the funds they had withdrawn, CertiK refused and requested a call with its BD team. At the same time, CertiK also stated that it would not agree to return any funds until Kraken provided a hypothetical possible loss amount.

At this point, Kraken Chief Security Officer Nick Percoco tweeted that CertiK's actions were extortion and that the $3 million loss was a "criminal case" and that they were coordinating with law enforcement to recover the funds.

CertiK subsequently defended its actions on X.

CertiK's testing of Kraken focused on three questions: Can a malicious actor forge a deposit transaction to a Kraken account? Can a malicious actor withdraw forged funds? What risk controls and asset protections might be triggered by large withdrawal requests? CertiK believes that the Kraken exchange has failed all of these tests, indicating that Kraken's defense-in-depth system has been compromised in multiple ways.

CertiK said that due to the vulnerability, millions of dollars could be deposited into any Kraken account, and during the multi-day testing period, Kraken did not trigger any alarms until CertiK officially reported the incident and responded and locked the test account.

As for Kraken's $3 million loss, CertiK claimed that Kraken threatened company employees and that the total amount of funds Kraken requested to be returned "did not match" the cryptocurrency it stole. At the same time, CertiK disclosed all deposit addresses and said that it would transfer existing funds to accounts that Kraken could access based on records.

After attracting community attention, CertiK updated its response and released a tweet explaining the details of the incident, including fund return, vulnerability disclosure, and testing purposes. CertiK confirmed that it had returned all the funds it held, but the total amount was inconsistent with Kraken's request. The returned amount included 734.19215 ETH, 29,001 USDT, and 1021.1 XMR, while Kraken requested a return of 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR.

Community revelations are even more explosive

This long-criticized security company has had trouble again, and the crypto community quickly took the lead.

Meir Dolev, founder of Cyvers.AI, said "According to on-chain analysis, 26 days before the Kraken incident, a similar withdrawal was made to Coinbase using the same signature hash. In addition, a transfer using the same signature hash also occurred on the Polygon network 14 days ago."

Certik previously claimed that it discovered and exploited the Kraken vulnerability on June 5, but on-chain evidence seems to indicate that it may have already mastered the vulnerability and implemented similar actions many times. Industry insiders questioned whether the timeline published by Certik was true and whether it had already used the vulnerability to transfer funds for a long time. This discovery undoubtedly intensified doubts about Certik's integrity.

Not only that, the security of CertiK, a security company, is also being questioned.

Synthetix's Adam Cochransaid, "CertiK is an outright criminal, and its behavior has completely deviated from the professional ethics of a security company. Given that projects audited by CertiK have been repeatedly hacked, why does the company still exist today?"

In the following hours, Synthetix once again raised serious questions about CertiK's professionalism and credibility. "CertiK security auditors took advantage of their positions to transfer and sell assets through channels such as the sanctioned Tornado Cash, and their behavior patterns are similar to those of the hacker group Lazarus."

It was revealed that CertiK's security auditors not only transferred assets through Tornado Cash, but also sold assets through ChangeNOW, which is exactly the same as the common practice of the Lazarus hacker group after invading crypto protocols. Some analysts said that Lazarus hacked into Certik's audit protocol more than any other protocol, which raised questions about whether Certik had already been infiltrated by hackers.

Although it is not yet certain whether the entire CertiK company was involved, it does make people wonder whether Certik's security research team has already been "compromised."

Some relevant people pointed out that since the North Korean hacker group had agents using DeFi protocols to find jobs, did they also "collude" with CertiK's auditors? Otherwise, it is difficult to explain why a US company with many well-known investors would blackmail exchanges and violate US sanctions on money laundering agreements.

Puffer Finance’s Chen Jian said, “Former employees revealed that CertiK’s top management was too focused on profitability and had a distorted value system. The company was abandoned after issuing tokens, causing investors to suffer losses. Project owners are advised to carefully choose CertiK for security audits.” Chen Jian believes that CertiK has basically become a “stamping company that is packaged in a halo and charges expensive fees”, and that the projects it has audited have repeatedly encountered security issues.

In addition, someone disclosed that "some CertiK internal auditors leaked the company's confidential information and audit details."

In response to CertiK’s misdeeds, many industry insiders criticized CertiK as “disgusting,” “immoral,” “irresponsible,” “delusional,” and “worthless.” A large number of crypto community members have joined the verbal attack on CertiK. Among them, former OKX employee Ziye said: “Someone has hit a wall.”

DegenBing.eth | Buji DAO said that those who tout CertiK are either stupid or evil, “Everyone prepare your popcorn, the follow-up should be very exciting.” Community user @tayvano_ also expressed ridicule to CertiK, "There is absolutely no excuse for CertiK's behavior, and it cannot be regarded as a legitimate white hat test at all", and called on CertiK to "get out".

CrertiK, only "slander all over the world"?

From the community's reaction, it can be seen that this is not the first time that CertiK, the protagonist of this incident, has been involved in controversy. CertiK was born in 2017 and was once a star project in the field of Web3 security. Its founders are Shao Zhong, the director and tenured professor of the Department of Computer Science at Yale University, and Gu Ronghui, a professor of the Department of Computer Science at Columbia University, both of whom are top scholars in the field of security.

In 2021, CertiK began to develop rapidly. In less than a year, it received five rounds of financing, including the most luxurious investors such as Goldman Sachs, Tiger, Softbank, Sequoia, and Hillhouse. In that year, among all DeFi projects that have undergone security audits on CoinMarketCap, CertiK's market share reached 70%, far exceeding its peers. Its cooperative clients include leading projects such as Aave, Polygon, Yearn Finance and Chiliz.

But on the other hand, since the launch of CertiK, it has not stopped facing controversy. The community has always questioned that CertiK occupies most of the market in the field of Web3 security, but cannot guarantee the security of the projects it handles. Some people even complained that "not all CertiK audits may run away, but those who run away are almost all CertiK audits, and they all like to claim to have upgrades, but everyone knows the actual results, so that "CertiK audits" have almost become a guide to avoid mines."

In April 2023, Geek Park interviewed CertiK CEO Gu Ronghui, who responded to these controversies with the phrase "reputation and slander". CertiK regards the frequent security issues as "inevitable situations" and responds by publishing security audit reports and allowing the community to check spontaneously. Gu Ronghui once said that he did not want CertiK to become a "seal" or an anti-theft "certificate".

Shortly after Geek Park's interview with CertiK was released, Merlin, a decentralized trading platform based on zkSync, was stolen about $1.82 million. Prior to this, Merlin had just passed CertiK's audit. This time, CertiK attributed the Merlin attack to "rogue developers."

A month later, the DeFi project Swaprum ran away a few weeks after being audited by CertiK, taking away a total of $3 million in customer funds. The community pointed the finger at CertiK, saying it approved "another conspiracy."

In addition to various accidents, the community also questioned CertiK's technical barriers.

CertiK uses formal verification and AI technology to provide end-to-end blockchain security audit services. Simply put, it combines formal verification and manual verification, uses large language models to automatically check source code problems, conducts simulated attacks, and then security engineers provide feedback on the issues raised.

The founder is confident in its mechanism. "Even if our technology does not develop, as long as we can see more code and more people annotate it, our engine will become better and better. Then our security level will be higher and higher, and there will be more and more customers, which will make the engine better and better. It's a positive cycle."

In addition to the fact that the audit results are unreliable, CertiK's black history also includes its coin issuance experience. CertiK launched Certik chain and its token CTK in 2021, but now the introduction of its token CTK can no longer be found on Certik's official website.

It is understood that CTK had two rounds of private placement at the time, one with a quota of 29% and a price of US$0.77; the second with a quota of 9% and a price of US$1.9. After CTK went online, it began to fall after a short charge. As of the time of writing, its price was US$0.8.

After being involved in the "extortion Kraken" controversy, although Kraken did have vulnerabilities, the community's attitude was surprisingly consistent, and they all recounted CertiK's past deeds. From a star project in the Web3 security field with a luxurious financing lineup and a valuation of US$2 billion, to being caught up in various controversies and being regarded as a "lightning avoidance label", CertiK's experience in recent years has made the community sigh and also provided a warning to the project parties still on the field.

欢迎加入律动 BlockBeats 官方社群:

Telegram 订阅群:https://t.me/theblockbeats

Telegram 交流群:https://t.me/BlockBeats_App

Twitter 官方账号:https://twitter.com/BlockBeatsAsia

举报 Correction/Report
Choose Library
Add Library
Add Library
Visible to myself only