Participants in the Bug Bounty program of the Kraken cryptocurrency exchange discovered and exploited an “extremely critical” vulnerability to withdraw $3 million

A group of participants in the Bug Bounty program of the Kraken crypto exchange extracted $3 million belonging to the company using a discovered “critical” vulnerability.

One KYC user discovered a bug through the Bug Bounty interface and received a reward for this according to the program rules. He then shared information about the vulnerability with two other participants, who together extracted $3 million and then demanded an additional reward to return the money from the exchange. Kraken called it "extortion."

The exchange announced that it had successfully fixed a vulnerability that allowed the balance to be distorted manually and funds to be withdrawn.