CertiK Profile picture
Smart contract audits, KYC, on-chain monitoring, bug bounties, penetration testing, and more. Also follow 🤝 @CertiKCommunity 🚨 @CertiKAlert
Jun 19 5 tweets 3 min read
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.

Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal transfer statuses, we conducted a thorough investigation with three key questions:

1/ Can a malicious actor fabricate a deposit transaction to a Kraken account?
2/ Can a malicious actor withdraw fabricated funds?
3/ What risk controls and asset protection might be triggered by a large withdrawal request?

According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.

Upon discovery, we informed Kraken, whose security team classified it as Critical: the most serious classification level at Kraken.

After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.

In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users' security. We urge @krakenfx to cease any threats against whitehat hackers.

Together, we can face risks and safeguard the future of Web3. #Web3 #Security #TransparencyImage Transparency is important to the community. We are disclosing all testing deposit transactions here: Image
Mar 15, 2023 9 tweets 4 min read
1/ The Rug Pull Report

Exit scams, more popularly known as rug pulls, are the most common type of #Web3 scam. A rug pull involves fraudsters robbing a crypto project by liquidating their holdings without warning and leaving investors holding worthless tokens. 🧵👇🏼 Image 2/ 3️⃣1️⃣6️⃣rug pulls stole $207 million of value from #Web3 investors in 2022. 💰👎🏼The prevalence of this type of #scam is an ongoing blight on the image of the industry. 👇🏼
Jan 28, 2023 16 tweets 6 min read
Exposing Scammers 🚨

CertiK investigators uncovered two scammers, Zentoh and Kai, behind the Monkey Drainer kit 🐒

This kit is sold to prospective scammers who are looking to steal user funds using Ice Phishing

Who was involved and how? Let's see 👇🧵 The Monkey Drainer kit and similar phishing tools utilize “ice phishing” to trick users into giving the scammers unlimited power to spend their tokens.

If you don't know what Ice Phishing is, see this thread 👇

Dec 16, 2022 7 tweets 4 min read
1/ #CertiK recently participated in the @AptosLabs CTF MOVEment 2022 contest

Faced with the challenge of quickly understanding and summarizing the semantics of complex code snippets, we turned to #ChatGPT @OpenAI

Let's see how it worked 👇🧵 #OpenAI #Aptos 2/ By interacting with #ChatGPT through natural language, we were able to ask it questions about the code and receive clear and concise answers.

ChatGPT is able to provide a summary of the code's semantics and explain what the code does in simple, natural language, saving time