The exploit allowed some users to artificially increase the value of their Kraken account balance without fully completing a deposit. The issue derived from a recent UX change that wasn't thoroughly tested.
The researcher who disclosed the vulnerability shared it with coworkers who exploited the vulnerability to withdraw nearly $3 million. The stolen funds were from the Kraken treasury, not client assets.
The researchers refused to provide a full account of their activity related to the exploit, demonstrate a proof of concept, or return funds, instead demanding a call with the business development team.
[
add
]
[
|
|
...
]