The crypto community was just recently shaken by a dramatic conflict between Certik, a security auditing company of high repute, and Kraken, one of the largest exchange houses. It happened while Certik had identified a critical flaw in Kraken's deposit system. Instead of immediately disclosing this vulnerability, Certik exploited it by withdrawing approximately $3 million to prove their point.
source
Already, in this case, some grave questions regarding ethics in cybersecurity, particularly in the crypto space, come up: This incident is, at best, exciting and concerning to me. On the one hand, what Certik did could have been for illustration purposes—in short, showing how bad the flaw is—but it seems extreme and, frankly, careless to do such a thing while bringing out their point, which was withdrawals of such a colossal amount of money. That action, as a sort of "white hat" hack, pitted Certik against Kraken, which viewed it as criminal.
What is more, Kraken responded to this quickly and decisively. It treated the incident as a security breach and brought in law enforcement. The chief security officer, Nick Percoco, assured that no client assets were in jeopardy but that due to the approach taken by Certik, the exchange was understandably alarmed. From the point of view of Kraken, this was not some friendly security test; it was the unauthorized withdrawal of funds that could very easily be construed as theft.
Certik defended their actions by claiming that the hack was necessary to test Kraken for weaknesses. It said its activity was typical "white hat" stuff, and the funds were always intended to return—justification that didn't seem to hold water for many in the community, including Kraken itself. Debate raged over whether or not Certik's method is ethical, sending security experts and crypto enthusiasts alike into a tizzy.
The important thing is the communication gap between Certik and Kraken. According to Certik, they had always intended to return the funds; therefore, Kraken had overstepped them by making it public and involving law enforcement. From the vantage point of Kraken, Certik's demand for a fat bounty—I was asking for the value of the exploit—seemed inappropriate, much like extortion. These diametrically opposing viewpoints bring home just how important, in cybersecurity operations, transparent and forthright communication is.
At the heart of this issue lies the ethics of "white hat" hacking. Certik's approach had been quite aggressive and unconventional. White-hat hackers do not attack that much once they find a vulnerability; they just report it. Probably, they will give a very minimal demo to let the system owners patch without incurring huge losses. By pulling millions out before notifying Kraken, Certik has set a perilous precedent for future security testing.
Finally, the funds were returned, but not without high friction and the scent of accusations from both parties. The incident serves as a lesson to be learned on both sides: security researchers and companies. That is what it shows: setting well-defined limits and respect in the skinny line of the relationship between security firms and their clients. But it damaged its reputation by approaching and putting its relationship with Kraken at stake.
The bigger the crypto industry, the more there is a need for robust security practices. This episode between Certik and Kraken proved that mere good intentions can take us only so far. Ethical standards lay down procedures for traveling ahead in such a scenario, and clear protocols instill trust and collaboration within the ecosystem. Hopefully, security firms and crypto exchanges will have learned something from this experience to ensure the following vulnerability is responsible and openly reported.
Posted Using InLeo Alpha