The Breakdown - The Incredibly Weird Certik-Kraken Exploit
Episode Date: June 21, 2024Kraken was recently hacked to the tune of $3m. Turns out it was security audit firm Certik. Is the episode about an overzealous white hat or something more nefarious? Enjoying this content? SUBSCRIBE... to the Podcast: https://pod.link/1438693620 Watch on YouTube: https://www.youtube.com/nathanielwhittemorecrypto Subscribe to the newsletter: https://breakdown.beehiiv.com/ Join the discussion: https://discord.gg/VrKRrfKCz8 Follow on Twitter: NLW: https://twitter.com/nlw Breakdown: https://twitter.com/BreakdownNLW
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
What's going on, guys? It is Thursday, June 20th, and today we are talking about a wild hacker bounty, strange situation that you will not want to miss.
Before we get into that, however, if you are enjoying the breakdown, please go subscribe to it, give it a rating, give it a review, or if you want to dive deeper into the conversation, come join us on the Breakers Discord.
You can find a link in the show notes or go to bit.ly slash breakdown pod.
All right, friends, well, today our main story is a very weird situation between SurTick and
Cracken, but I did want to do just a couple stories before that, one of which is an update on
something we covered earlier in the week.
It has been a big few days for the newest Trump meme coin tickered DJT.
I mentioned the token launch earlier this week and all the speculation around whether there
was an official link back to the former president.
At that point, Martin Schrelli, best known as a farmer bro and now white collar crime expert, was
heavily promoting the token as being real and official. Things escalated quickly on Tuesday with
legendary trader GCR asking Schrelli to put his money where his mouth is, betting a huge amount that
the meme coin wasn't approved by Trump. GCR was very clear that he wanted to know whether Trump
was directly involved, stating, the only way this is quote unquote real is if Donald J. Trump himself
says he launched a meme coin. I'm well aware there is a cabal strategy to bribe people in the Trump
orbit to pretend they had something to do with this when in reality a cabal of crypto whales did a presale
and an allocation to KOLs.
Arkham Intelligence later announced a bounty for anyone who could identify the dev.
On-chain analyst, Zach XBT, quickly chimed in that he had the proof that they were looking
for, at which point Schrelly quickly fired up at Twitter spaces and claimed that he co-created
the coin in collaboration with Baron Trump.
Zach XBT went on to fill in the details.
He published messages between Andrew Tate and Schrelly showing that Tate was approached
by Baron to buy into the project.
He also showed a large and early DJT holder had sold 830,000 worth of the token late on
Tuesday. That wallet also holds millions of dollars worth of the previous token launched by Schrelli.
By this stage, enthusiasm for the token had begun to collapse alongside the price.
Schrelly spent most of Wednesday providing an explanation on Twitter spaces, claiming the token
was Barron's idea, and that he wanted to get the token launch before his father's campaign
could do their own meme coin. Schrelly was very insistent that Barron is the only one with the
private keys to the token, but Barron himself seems to have gotten cold feet after receiving
advice from lawyers, so hasn't commented publicly. A trader called Dahmer really summed up
the situation in my estimation, saying,
If you had told me six months ago that Martin Schrelli would pump a Trump meme coin
and described a definitely not 100% market as 100% guaranteed and lead a herd of porsaps to incinerate
tens of thousands of dollars to pump said coin, would I ever have believed that?
Uh, yes, easily, it's one of the most believable sequences of events in human history.
While Schrelly seems to believe that there are no laws governing meme coins, saying making a
meme coin, there's absolutely zero legal repercussions from that.
The crypto legal core seems to think that the wrath of Gary Gensler is inevitable.
Crypto lawyer Preston Byrne tweeted,
The annoying thing about the Schrelly Baron Trump thing is that if it's
true, it's going to bring the SEC into the meme coin space at absolutely warp speed.
So at this point, we are going to officially leave this story until such time as an actual
presidential candidate claims credit for this. It is officially just the crazy whims of the
crypto industry and the bored summer lassitude of crypto Twitter.
Speaking of the SEC, a more positive story, they have decided to drop their investigation into
Ethereum. On Wednesday, Ethereum infrastructure provider consensus shared a letter from the SEC
informing them that the investigation had concluded.
They added that SEC staff are not intending to recommend an enforcement action against
consensus. Consensus announced the good news in a tweet stating,
this means that the SEC will not bring charges alleging the sales of ether security's transactions.
The company had asked for clarification on whether the investigation was still ongoing back on June
7th in light of the Ethereum ETF approvals.
This following, of course, the SEC accepting ETF paperwork, which classified Ethereum as a commodity.
Consensus added that although this was a big win for the Ethereum community,
quote, our fight continues. In our lawsuit, we also seek a declaration that offering the user
interface software metamask swaps and staking does not violate securities laws. It should not take a
lawsuit to provide the much-needed regulatory clarity to allow an industry that serves as the backbone
to countless new technologies and innovations to thrive, but here we are. Consensus founder
Joe Lubin commented, the SEC's decision to close its 14-month investigation into Ethereum is a
welcome development. It's necessary but not sufficient. There has to be a better way to regulate
the market than through ambush. We are hopeful that the antagonism to
crypto among some U.S. regulators is starting to wane, and that the national investor protection
strategy will evolve from the current guerrilla tactics. While the end of the investigation is a relief
to the Ethereum community, the SEC's letter is perhaps a bit more narrow than some assume.
The agency made it clear that this does not function as a no-action letter which the SEC
uses to grant regulatory carve-outs for specific activities. Finance lawyer Scott Johnson noted
that the letter is completely silent on whether the SEC is accepting that Ethereum is not
a security. Johnson added, I don't want to minimize the importance of the consensus letter because
it does further policy goals. But I don't think we're going to get any voluntary admission from the
SEC that ETH is not a security, despite the mountain of implied evidence that this is their actual
position, until Coinbase, finance, and crack had been resolved or a change in leadership.
Aside from the security classification, some are noting that this is evidence that the
crypto industry's aggressive litigation strategy is bearing fruit. Crypto lawyer Gabriel
Shapiro, for example, tweeted, I don't say this sort of thing often, but huge props to the
consensus legal team. They went into attack mode and played this whole thing beautifully.
Hello, friends. Before we get back to the rest of the show, I want you to join me at Permissionless.
Permissionless is a conference for crypto-natives by Crypto-Natives. And the reason it's so important this year
is that despite regulators' best attempts to push industry founders, devs, and executives out of the U.S.,
the U.S. remains the beating heart of crypto. Today, the tide is turning. Policymakers have
pivoted from fighting crypto to embracing it, which will lead to the creation of new financial products,
new applications, and ultimately new adoption.
Permissionless is a conference for those using and building on-chain products.
It's home to the power users, the devs, and the builders.
And what's more, I'm going to be there.
The location is Salt Lake City.
The dates are October 9th to the 11th, and right now, tickets are just $199.
Towards the end of the month, they're going up to $499, and if you want 10% off,
use code Breakdown 10 when you check out.
If you go to the Blockworks website, blockworks.co, there will be lots of information about
how to register.
and use code Breakdown 10% off.
With that, though, we turn to our main story, which is a crazy one.
Cracken has disclosed a bug that was used to exploit the platform for $3 million.
Nick Prococo, the chief security officer at the exchange, detailed the events in a long
thread on Wednesday morning.
He said that Cracken had received a bug bounty request from a security researcher on
June 9th.
Cracken's security team identified the issue quickly, finding a critical bug that allowed
users to inflate their balance on the exchange.
Cracken had been crediting crypto deposits before they were fully cleared, allowing an attacker to withdraw a balance that would never arrive.
The team mitigated the issue within an hour.
They claimed the issue had been the result of a recent U.S. change, and during their investigation, found three accounts that had exploited the bug.
The first belonged to the security researcher who had reported the bug and demonstrated the exploit at a minimal size.
The other two had used the bug to withdraw nearly $3 million from the platform.
Pococo claims that these larger exploits were not disclosed when the bug was reported.
When confronted, the security researcher allegedly refused to return the stolen funds and forced a negotiation with their business development team.
Prococo said he was asked to speculate on how much monetary damage the bug could have caused, adding, this is not White Hat hacking, it is extortion.
Cracken has an established bug bounty program, which is much more permissive than the industry standard.
Their two big rules are not to exploit more than is necessary to demonstrate the issue, and second, to return all funds immediately.
He noted that White Hat hacking is only enabled by, quote, following the simple rules of the bug bounty program you are participating in.
ignoring those rules and extorting the company revokes your license to hack. It makes you and your company
criminals. Cracken is treating this as a criminal case and has referred the matter to law enforcement.
They claim that no user funds were endangered by the exploit with the losses coming from Cracken's treasury.
Now, throughout his thread, Prococo decided not to disclose the identity of the security firm,
but shortly afterwards, Surtick went public and identified themselves as the firm in question.
Their posts spelled out the security test they had performed and ridiculed Cracken security,
stating,
defense in-depth system is compromised on multiple fronts. Millions of dollars can be deposited to
any Cracken account. A huge amount of fabricated crypto can be withdrawn from the account and converted
into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period.
Cracken only responded and locked the test accounts days after we officially reported the incident.
After initial conversations, Sertik claimed that, quote, Krakken's security operation team has
threatened individual Sertik employees to repay a mismatched amount of crypto in an unreasonable time
even without providing repayment addresses. Sertik's position is that they are willing to return the funds,
but that Cracken is asking for more than was withdrawn. As for why they conducted such a massive
demonstration of the bug, Sertick claims they wanted to test the limits of protections and risk
controls on the exchange. For many in the crypto security community, this explanation didn't
ring true. Sertick has a somewhat tarnished reputation. They primarily provide smart contract
audits designed to find incorrect bugs before a platform goes live. Sertic was the auditor on record
for three of the top 50 crypto exploits on the Rect News leaderboard. A ton of the exploits during the
2021 era of Binance Smart Chain were also protocols audited by Sirtik. Developers also note high-pressure
sales tactics, which ZeroX Quit described as, quote, a borderline criminal racket to force
projects into their auditing pipeline. Some are starting to wonder whether it's more than just
a coincidence that Sertic audited smart contracts often get exploited. Crypto lawyer Collins Belton
commented, so this kind of puts prior jokes about Sertic audits for inevitably hacked projects
in a different light, doesn't it? Not going so far as to say there's intentionality, but this
creates a huge optics issue for them at best, or leads someone to uncovering a whole lot more at
worst. Further, as part of their disclosure, Surtick identified the wallets involved in the exploit.
A handful of on-chain analysts noted that the wallets had washed the funds using tornado
cash before depositing them into Cracken. Surcic claimed this was a further test of Cracken
security to see if it would detect the tainted funds. Whether or not that's true,
Certick is nominally a U.S. headquartered firm founded by Americans and backed by U.S. venture
funding. On the surface, then, it seems that Certic casually violated sanctions as part of this
endeavor. This bizarre choice led some to wonder whether there's something more to the story.
Adam Cochran tweeted,
Not only did CERTIC security auditors move assets via sanctioned Tornado Cash, they also dumped
assets via change now, which is a common set of patterns when Lazarus hacks protocols,
and Lazarus has hacked more CERTIC audit protocols than any others. So while I doubt the entire
company is somehow involved, it genuinely raises the question if CERTIC's security research team
has just long been compromised. We know North Korea has had agents get jobs with DFI
protocols before, why not with an auditor? Otherwise, it's really hard to explain why a U.S.
headquartered company with large investors would extort an exchange and violate U.S. sanctions
over this kind of money. As things stand, it appears that Sertek is now sent around $2.6 million
back to Cracken. We don't have a really clear view on whether all the funds were returned
due to the sheer number of wallets and chain obfuscation techniques employed. On-chain analysts
are still sifting through blockchain records to come up with a number, and Cracken's security
team is no doubt working overtime. This is one of the most bizarre things about the exploit.
Once the bug was demonstrated using a small transaction, there really was no need to keep doing
dozens of transactions of escalating size for several days.
The generous explanation is that Sertic wanted to make a public show of how much they could
get away with before Cracken Security team noticed.
Well, the more nefarious explanation is pretty obvious.
Overall, the response is mostly just shock.
Byzantine General writes,
Only in crypto can an audit company steal from an exchange extort them illegally used tornado
cash as an American company to obfuscate the funds and then go on Twitter to proudly call
themselves the good guys. Sam's Easy Sun writes, sending my thoughts and prayers to the investment partners
that have to explain why their portco hacked an American exchange stole three million dollars and laundered it
through an OFAC sanctioned protocol. Seems like this is a story that we will probably need to come back
and do a little bit of an update on, but for now we are just going to leave it there. Like I said,
one of the crazier ones we've seen for a while. Weirdly, this feels like deep bear market stuff,
not things that happen when we're like 15% off all-time highs or whatever we are.
Anyways, guys, that is going to do it for today's breakdown.
Appreciate you listening as always.
Until next time, be safe and take care of each other.
Peace.