One month ago this same company found a bug with a 2 million dollar bug bounty.
The bug would let them drain funds from a crypto exchange by sending funds to the exchange on the blockchain, but then after sending, reverting the part of the transaction that sent the funds, while keeping the overall transaction alive. The software at the exchange was fooled into counting the reverted transfer as actually happening. [0]
So what do you do when you find an incredibly critical bug with 2 million dollar bug bounty?
CertiK researchers choose to steal 3 million.
Then when they stole it, they exchanged the bulk of the coins for other coins, and sent some of the funds to an OFAC sanctioned entity. CertiK did not report the massive bug that they were exploiting live, in the wild, in public view, for ten days. When they finally did report it for the 2 million dollar bug bounty, CertiK did not mention the 3 million dollars that they stole. When confronted about it, they referred all questions to the sales team, who made demands and refused to return the money. Two weeks of refusing to return the money pass by, and before the head of security at the exchange posts on Twitter the story [1], without naming the company.
So what do you do now there's a now a story out there that some researchers stole 3 million and won't return it.
CertiK chose to confirm everything on their official Twitter, loudly proclaim that the team that stole the money was them, and claim that the exchange was persecuting them by threatening legal action for the return of the stolen funds. CertiK founders also retweeted these tweets.
After a firestorm of twitter drama, by the end of the day, CertiK promised to return the stolen funds.
So CertiK is just some random team of anonymous people, right? Nope.
CertiK is 2 billion market cap, company, headquartered in the US, just did 230 million dollars worth of fund raising.
(CertiK does have a long reputation for working in ways that no one could conclusively prove if their actions were from evil or from incompetentance.)
Crypto is like monopoly money, there is no value outside of what people assign to it, is unusable outside of that specific context, and the "value" can disappear in seconds. If you steal someone's monopoly money, are you liable for theft of the equivalent of that monopoly money's exchange rate on the market (say, it's a rare edition you can sell on Ebay)?
Or like virtual currency in an online game. If someone steals your Robux, can you complain to the FBI?
generally yes to both. it's imperfect but the legal system already has longstanding ways of valuing illiquid assets that don't have straightforward market prices (art, houses, used cars, etc.).
in this case who knows what kind of tokens they stole, but if it was Ethereum or Bitcoin, those markets are liquid enough that you don't even have this problem.
One month ago this same company found a bug with a 2 million dollar bug bounty.
The bug would let them drain funds from a crypto exchange by sending funds to the exchange on the blockchain, but then after sending, reverting the part of the transaction that sent the funds, while keeping the overall transaction alive. The software at the exchange was fooled into counting the reverted transfer as actually happening. [0]
So what do you do when you find an incredibly critical bug with 2 million dollar bug bounty?
CertiK researchers choose to steal 3 million.
Then when they stole it, they exchanged the bulk of the coins for other coins, and sent some of the funds to an OFAC sanctioned entity. CertiK did not report the massive bug that they were exploiting live, in the wild, in public view, for ten days. When they finally did report it for the 2 million dollar bug bounty, CertiK did not mention the 3 million dollars that they stole. When confronted about it, they referred all questions to the sales team, who made demands and refused to return the money. Two weeks of refusing to return the money pass by, and before the head of security at the exchange posts on Twitter the story [1], without naming the company.
So what do you do now there's a now a story out there that some researchers stole 3 million and won't return it.
CertiK chose to confirm everything on their official Twitter, loudly proclaim that the team that stole the money was them, and claim that the exchange was persecuting them by threatening legal action for the return of the stolen funds. CertiK founders also retweeted these tweets.
After a firestorm of twitter drama, by the end of the day, CertiK promised to return the stolen funds.
So CertiK is just some random team of anonymous people, right? Nope.
CertiK is 2 billion market cap, company, headquartered in the US, just did 230 million dollars worth of fund raising.
(CertiK does have a long reputation for working in ways that no one could conclusively prove if their actions were from evil or from incompetentance.)
[0] https://x.com/danielvf/status/1803780167027871878
[1] https://x.com/c7five/status/1803403565865771370
[2] https://x.com/CertiK/status/1803450205389402215