#CertiK Admits They Took $3 Million From #Kraken As Part Of Bug Bounty Testing, Tried To Return It, Didn't "Steal" Anything (OOC)

#CertiK Admits They Took $3 Million From #Kraken As Part Of Bug Bounty Testing, Tried To Return It, Didn't "Steal" Anything (OOC)
Crypto Talk Radio: Basic Cryptonomics
#CertiK Admits They Took $3 Million From #Kraken As Part Of Bug Bounty Testing, Tried To Return It, Didn't "Steal" Anything (OOC)

Jun 20 2024 | 00:06:26

/
Episode June 20, 2024 00:06:26

Hosted By

Leicester

Show Notes

View Full Transcript

Episode Transcript

[00:00:00] Out of cycle update. [00:00:03] Cerdix in trouble, losing cryptotalk FM. My name is Leister. I am your host. Follow up on the Kraken breach, aka allegedly, shouldn't say breach. Cause I don't know. And in fact, given today's update, I'm not even sure how to categorize it. I can't categorize it as a mistake. I can't categorize it as a botch. I can't categorize it as intentional. I can't even say it's unintentional because what's allegedly coming out now, Certic. Everybody knows certic. Certic is the firm that does various smart contract audits. They also do security audits, and turns out they are allegedly the ones behind the $3 million crack and breach. Certic themselves came out and said, we are the ones. The researchers who were doing, responded to the bug bounty. We were doing the analysis. And yes, it is true that we were withdrawing these funds. That's true. However, as positioned, this is certic as positioned by Kraken. What's being stated is not true, and it's being misrepresented. And we're happy to return the money. But we got some problems here. So trying to unravel this, and I'm getting the sense, mind you, I got, both of these sides are at fault. But I'm, I'm less confident in Kraken's leadership than ever before. So here's allegedly what happened. Cerdic was doing the analysis as they claimed they were doing. Some of their researchers found these breaches. They admit. They openly admit, yes, we did transfer money out. [00:01:33] They admitted finding the situation, and they said that, hey, we're going to report our findings. We're not done yet. [00:01:42] Kraken essentially said, well, wait a minute, you took the freaking money, and we traced it and found that, and you're thieves, and this is criminal, and you stole from us, jack offs Cerdic saying you didn't raise any flags on this. We were doing the testing. You didn't raise any flags on this. While of a sudden, are you raising flags? You only raised a flag after we reported to you that we saw this situation. So why are you now calling red flags, saying it's a criminal something when you only call something out? When we told you that there's this problem, as per the bug bounty, so certic is presenting it as if they were doing what they were supposed to do per the bug bounty guidelines, let me get with them. Let me get on them first. The whole framework of a bug bounty is you didn't need to, and this was called out in the analysis after the fact from a different firm. You didn't need to steal $3 million from these people to prove that it's. It's possible to steal money. You could have done a much lower amount and then been in active communication. Now, in some bug bounty cases, they'll kind of reserve the results until they're fully done. And I got you. But you still didn't need to steal $3 million from these people to get your point across. So that makes you guys look scammy because why 3 million? Why that amount? Why so much? You didn't need to do that just to prove that there is this breach. [00:03:05] I sense that certic was trying to get a sense, trying to get the information around the scale and scope of the whole. How large is it? How. What's the risk vector? Right, I got it. I would. And perhaps they were, and I didn't see the terms of the bounty, but perhaps they were thinking that the bounty would go up based on the level of risk. The risk vector being a significant size might increase the amount of bounty they would get. This is all theoretical. I have no evidence. I'm not them. But it's the only logical reason that you would do this is if you thought you're gonna get a larger bounty, you still have an ethical obligation to report the finding. The moment that you find it, do something smaller. Do like 10,000, 20,000, do multiple segments. See if there's any sort of detection. Communicate with them and say, we found this situation here. What made it so shady is the amount. It's. It's not the fact that there was an issue that was reported that it's the amount, and then the fact that they hung on to it on crack inside. I still say somebody should be fired, because, number one, you should have tested this before you gave it over to the bug bounty. And number two, it is true that you didn't raise any concerns until this was brought to your attention. So why was it all of a sudden a problem, after it's raised as a problem, and you reacted to the dollar amount, and then you leapt straight to criminal, saying, this is criminal, and we're gonna go after these jack offs. I understand that. Somebody freaked out. That's what I understand. Somebody freaked out. Somebody was afraid they'd lose their job, so they felt like they had to put on a good face to say, we're going after these jack offs. I understand, I'm not against taking action to preserve the assets. My beef, my sole beef, my primary beef, is the fact you look at this business. Why is it that nothing was done until something was reported? That's what I'm trying to figure out. Both sides are culpable here. Both sides have a problem. Both sides should be ashamed of them damn selves. None of the shit made any sense. So that's allegedly what's happening is that certic, one of the most well known firms in security researching, was behind this $3 million breach, allegedly intended to return the money all along, openly admitted that they're the ones that took the money and said that they'd reported it to Kraken. And Kraken only freaked out after they reported it, which makes no damn sense. And then, of course, Kraken on their side doesn't seem to understand about security testing. You know, I debated doing this one versus another one that's just as bad. And I figured I'd do this one because, you know, this is a fiasco. [00:05:46] This is why the SEC wants to be so firm on these crypto exchanges, because it seems like none of them have a fucking clue that they all just do whatever they're doing and don't get it. And this is what happens. A freak out reaction. It could be that certic are a bunch of shady jack offs. I'm not saying they're not. I'm saying both sides are culpable in this whole fiasco. And it's the reason that you're essentially rolling the dice. Anytime you deal with any of these type of smart contracts or exchanges, you can't get away from the garbage. It's all garbage, all of them, because none of them want to act like a business. And all that does is cause the government gives them an excuse to try to lock stuff down.

Other Episodes