The infighting in the encryption industry is truly exciting. Just recently, the clash between the encryption security unicorn CertiK and the American super exchange Kraken has left the author feeling bewildered.
Here's what happened: During its security testing process, CertiK discovered a serious vulnerability involving the potential for artificially increasing the balance of encrypted trading accounts on the Kraken platform and hoped to trigger Kraken's alert threshold through testing. However, Kraken stated that CertiK's actions went beyond the scope of general security research, accusing them of exploiting the vulnerability for profit and engaging in extortion.
According to CertiK, their testing revealed multiple security vulnerabilities in the Kraken system, which if left unaddressed could lead to losses of hundreds of millions of dollars. CertiK emphasized that their actions were aimed at strengthening network security, protecting the interests of all users, and publicly disclosed the complete testing timeline and related deposit addresses to demonstrate their transparency and integrity.
Kraken and its CSO Nick Percoco emphasized through social media and public statements that their bug bounty program has clear rules and requires all researchers who discover vulnerabilities to adhere to these rules. Kraken also stated that CertiK's actions had directly threatened the security of its platform and had reported the incident to law enforcement agencies.
This confrontation not only involves technical and security issues but also touches on the boundaries of law and ethics, especially regarding the limits and responsibilities of white-hat hacker activities. This provides a rich background and basis for further exploration of the legal standards for white-hat hackers by the lawyer Man Kun.
Are the actions of white-hat hackers legal?
Strictly speaking, the actions of white-hat hackers are very similar to illegal intrusion into computer systems. However, in the vast majority of cases, white-hat hackers are not evaluated as engaging in illegal activities. This is because the purpose and process of white-hat hackers' actions fundamentally differ from those of criminal activities.
On the blockchain, white-hat hackers help companies and organizations establish a more secure network environment by discovering and patching vulnerabilities, thereby enhancing the reliability and credibility of the network and making a positive contribution to the overall security and stability of the blockchain.
Does receiving compensation affect the evaluation of white-hat hackers? Compensation serves as an effective incentive mechanism, attracting more talent to engage in network security, thereby enhancing the overall security of the industry. For companies and organizations, it is also a cost-effective way to fix vulnerabilities and can help establish an image of prioritizing network security. Therefore, it is generally accepted in the industry for white-hat hackers to receive reasonable fees.
Is CertiK a white-hat hacker in this case?
In the dispute between CertiK and Kraken, one of the core issues is the boundary of CertiK's behavior. CertiK's behavior, especially the motivation and legality of transferring $3 million to an external wallet, has become a focal point of debate.
Lack of transparency in behavior
CertiK is a security company collaborating with Kraken and could have ensured full authorization before commencing testing. Meanwhile, according to the community and Kraken's disclosures, CertiK did not mention the specific transfer amount when reporting the vulnerability and only disclosed their "entire testing address" after Kraken demanded the return of $3 million to prove that they had not transferred the amount accused by Kraken.
Actual fund transfer
According to Kraken and blockchain detective @0xBoboShanti, CertiK's security researchers had been probing and testing as early as May 27, contradicting CertiK's timeline of events. Furthermore, during subsequent vulnerability testing, although CertiK claimed that the operations were to test whether Kraken's alert system could trigger in a timely manner, in practice, this testing went beyond just discovering vulnerabilities, as CertiK also transferred the funds to an independent wallet address. This behavior exceeded the scope of regular security testing. It was disclosed that CertiK had previously performed the same operation on multiple exchanges and had also used Tornado Cash to transfer assets and ChangeNOW for selling.
Both of these situations likely exceeded the boundary of white-hat hacker behavior.
Legal definition becomes crucial
From a legal perspective, the actions of white-hat hackers are generally considered legal, but under the condition that these actions comply with certain norms and conditions.
In the United States, laws closely related to white-hat hacker activities mainly include the Computer Fraud and Abuse Act (CFAA). According to the CFAA, any unauthorized access or access beyond the authorized scope to a protected computer may constitute a crime. For white-hat hackers, their actions usually need to be conducted within explicitly obtained authorization; otherwise, even if it is for the purpose of security testing, it may violate the CFAA. In addition, with technological advancements, some regions have gradually developed more specific regulations to guide and protect the actions of white-hat hackers.
In China, the Cybersecurity Law explicitly emphasizes the overall requirements to enhance network security protection and strengthen cyberspace management. This means that network intrusion, even if it is for security testing purposes, may be considered illegal. At the same time, the law emphasizes the protection of personal data and privacy. Any operations involving personal data in network testing must ensure the security and privacy of the data. After discovering security vulnerabilities, there is a responsibility to promptly report to the network security management agency and the affected network operator. This reporting mechanism aims to promptly patch vulnerabilities and prevent their abuse.
However, in the Web3.0 industry, some white-hat hacker tests may also involve fund transfers, but this is usually done with the project's consent (such as when the project has related grants) or by transferring encrypted funds to a specific independent wallet for storage (without further action), and then reporting the vulnerability to receive rewards from the project, which is also an industry convention.
Nevertheless, in CertiK's case, the actual fund transfer, especially the subsequent operations, has raised complex legal issues. On one hand, it is whether CertiK had a personal motive for the fund transfer; on the other hand, CertiK did not comply with Kraken's explicit requirements for white-hat hackers and instead proved the same vulnerability by transferring funds again; and the subsequent handling of the transferred funds by CertiK may be considered illegal profiteering. In addition, CertiK's handling of the situation after the behavior, including communication and coordination with Kraken, will also affect the legal assessment of their actions.
Conclusion and Reflection
Although the controversy between Kraken and CertiK is entirely a legal issue in the United States, it is difficult for the lawyer Man Kun to express opinions under U.S. law. However, assuming it occurred under Chinese law, CertiK's actions would likely face charges of extortion and illegal intrusion into computer systems.
Indeed, white-hat hackers may "turn black" in certain situations. Even if the initial intent was to enhance system security, if they conduct testing without proper authorization or exploit discovered vulnerabilities for personal gain, these actions deviate from the legal and ethical standards of white-hat hackers. As demonstrated by the CertiK and Kraken incident, unauthorized fund transfers, especially involving large sums of money, may be considered black-hat behavior even if it is for testing purposes.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
