Ethical hacking, also known as white hat hacking, plays an indispensable role in fortifying cybersecurity. It involves benevolent hackers who scrutinize applications, identify security loopholes, inform vendors, and utilize this data to bolster the security framework of the ecosystem.
This concept isn’t confined to the realm of blockchain; it’s prevalent across various domains, including cloud computing, artificial intelligence, and operating system security. In each scenario, a fragile yet potent bond is forged between vendors and security experts, anchored on the fulcrum of trust.
In the blockchain arena, esteemed auditors like Trail of Bits, Halborn, and Open Zeppelin have dedicated years to the examination and rectification of numerous smart contracts, conducting their operations with the highest degree of professionalism and earning a robust trust.
**The Dispute Between CertiK and Kraken**
On the 17th of May, CertiK researchers unearthed a flaw within Kraken’s Digital Asset Exchange that affected the balance calculation and deposit system. The Kraken Security Team promptly classified this as a critical concern and rectified it in a mere 47 minutes.
**The Double Spend Dilemma**
At first glance, this vulnerability might seem harmless, but it paves the way for malefactors to execute a “double spend” – they can feign a deposit into the exchange, and upon an erroneous balance update, withdraw an equivalent sum. This maneuver siphons funds from the exchange’s primary treasury wallet, akin to the operational model of centralized banks.
CertiK disclosed a series of sham deposit transactions that exploited this flaw at least 20 times across five days, under the guise of testing Kraken’s detection capabilities.
**Ethical Hacking: A Delicate Practice**
The essence of white hat hacking lies in its subtlety. Its objective is to amplify application security, fostering trust and transparency without undermining the vendor’s enterprise.
Yet, the stark reality is that ethical hackers can sometimes be driven by public relations, seeking sensational headlines over ethical conduct. For instance, a headline declaring “CertiK Secretly Extracts $3 Million from Kraken” would undoubtedly captivate more attention than one stating “Researchers Uncover a Critical Flaw in Kraken, Preventing Potential Losses.”
**The High-Stakes Game of Trust**
Ethical hackers are expected to report their discoveries promptly and maintain minimalistic proof-of-concept to avoid disrupting the vendor’s operations. Exceptions arise when vendors sanction penetration tests, setting predefined boundaries and ethical guidelines.
Regrettably, in this instance, CertiK continued its unsanctioned penetration testing for four days post the initial successful proof-of-concept, diverging from the expected protocol of immediate reporting and fund restitution.
**Fostering Trust Within the Industry**
The industry must unite and safeguard each other, transcending the allure of detrimental headlines that could impact competitors.
Despite setbacks, the collective effort to enhance security measures and foster innovation persists. Sharing sensitive and valuable data amongst rivals is vital, as ultimately, security is a collective endeavor.
Progress within the industry hinges on mutual trust among the “good guys.” The mindset shouldn’t be adversarial; rather, it should focus on the shared goal of the greater good.
**Shahar Madar: A Proponent of Security and Trust**
Shahar Madar, the Vice President of Security and Trust Products at Fireblocks, excels in crafting security, identity, compliance, and governance solutions tailored for large enterprises and renowned brands. Additionally, he serves as the Vice Chairman of Crypto ISAC, a non-profit consortium committed to propelling security initiatives within the cryptocurrency sphere.
This article is intended solely for informational purposes and should not be construed as legal or investment advice. The perspectives and opinions presented herein are solely those of the author and do not necessarily align with those of Cointelegraph.