Empire Newsletter: What CertiK-Kraken says about crypto exchange security

Plus, airdrops have a branding problem


rafapress/Shutterstock modified by Blockworks


Today, enjoy the Empire newsletter on Blockworks.co. Tomorrow, get the news delivered directly to your inbox. Subscribe to the Empire newsletter.

Tom vs. Jerry

I had more questions than answers (ah, the life of a journalist) about the Kraken and CertiK situation.

While Kraken says the funds have been returned, I picked up the phone and called someone with a vast security background.

Enter Charles Guillemet, Ledger’s chief technology officer, who had some thoughts on the whole incident and white-hat hackers in general.

Yesterday, I highlighted some takes around the use of Tornado Cash by the US-based CertiK, but that’s not the only thing that caught Guillemet’s eye. He says the withdrawal of XMR — privacy coin Monero in case you’ve skipped some of David’s previous segments — is suspicious because, well, it’s a privacy coin.

Add ChangeNow, a self-styled non-custodial exchange, into the mix. In Guillemet’s experience, ChangeNow is generally one of the top picks for attackers who are trying to hide crypto. It’s often used by bad actors because it doesn’t require proper know-your-customer checks before facilitating swaps from one token to another.

It was also weird that there were video calls between CertiK and Kraken. And don’t even get him started on the millions withdrawn (he maintains you can exploit as little as $5 to prove the bug and then report it for a bounty). 

However, the five-day time period in which the researchers were testing the exploit isn’t that strange. 

Guillemet, who started off in the broader cybersecurity world before catching the crypto bug in 2017, said the “behavior that we see in blockchain and crypto when it comes to white hat [hacking] is really weird from my standpoint.”

“Sometimes you have a white hat, supposedly, who finds a vulnerability on some smart contract. It completely drains the smart contract and then gives back like 90%, choosing its reward [of] 10%. This kind of behavior, for me, is extortion. It seems to be okay. It seems to be white hat behavior,” Guillemet said.

“But I completely disagree with this. When you do security research, you don’t choose your reward. You don’t do extortion. What you do is report the vulnerability and hope for a reward […] This is how white hat should operate. And in crypto, it’s not always the case, and it’s a bit disturbing for me, and it’s also disturbing for other security guys in the field,” he continued.

With the matter more-or-less resolved, we may never get satisfying answers to the many unanswered questions about what exactly happened. CertiK said it wasn’t trying to exploit or “extort” funds from the exchange, unlike claims made by Kraken’s CSO Nick Percoco.

Let’s look at the bigger picture here. In this case, Kraken has assured that user funds were safe the entire time, and the millions that were briefly missing were taken from its treasury.

But does this mean users should be keeping their crypto on exchanges?

The simple answer from Guillemet is no. 

“As a user, you shouldn’t use an exchange to store your crypto. If you need to store your crypto, you need a wallet and you need to self-custody,” he said. It may seem obvious coming from Guillemet, a CTO of a wallet company, but his point is that exchanges aren’t made to store your crypto. 

(So if you told your family about crypto at the dinner table a few years ago and they bought into it, maybe just double-check that they have it stored away safe and sound.)

The simplest way to improve the space is obviously investing in security, but the more difficult path forward is for security teams to stay humble, Guillemet said. 

“Attackers will get better and better and we as an ecosystem must be humble and always raise the bar for security because this is a cat-and-mouse game and the stakes are getting higher.”

— Katherine Ross

Data Center

  • BTC is at monthly lows, down nearly 4% to $63,680.
  • ETH dominance jumped 17.88% to 18.77% in the past week as altcoins drained.
  • Base memecoin BRETT has flipped Solana dog coin BONK, worth $1.4 billion to $1.34 billion.
  • CEXs have liquidated margin traders for $133.44 million in the past day, 75% of them were long positions.
  • Arbitrum and Blast are neck-and-neck for weekly derivatives volume, $11.99 billion to $11.34 billion. Hyperliquid follows with $7.6 billion. 

Don’t call it an airdrop

Airdrops have a branding problem.

LayerZero really wants you to know its token launch is not an airdrop. Its new token, ZRO, is a reward for donating $0.10 in crypto toward Ethereum layer-1 development. The LayerZero foundation says it will match all contributions up to $10 million.

The team’s intentions may have been in the right place, but the market doesn’t seem to care for it. The not-airdropped ZRO has taken a beating, down 30% since yesterday’s launch.

“Airdrops” were intended to help distribute token supplies equitably while inspiring a community to build around the protocol. 

But, as LayerZero explained in its blog post, airdrop farming and automated Sybil campaigns are now so efficient at collecting free tokens that too much supply goes to parties with little interest in the long-term success of the projects.  

Still, despite all their problems, token launches via airdrops are really common. Of the current top 200 or so cryptocurrencies by market cap, around 50 have been launched since January 2022. 

Half of those were initially distributed via an airdrop, worth between 1.5% and 20% of the total supply. And if you remove memecoins, Runes and Ordinals, seven out of the remaining 13 airdrop tokens have risen in price since they launched. Not a bad strike rate, although their median return to date is minus 30%.

It’s difficult to properly compare token airdrops as they’re usually apples to oranges, with all sorts of tokenomics quirks and utilities. 

But comparing performance of airdropped tokens against other kinds of token generation events — generally launchpads and initial coin offerings — suggests it may just be difficult to launch a token that goes up at all.

Of the 15 tokens to launch in ways other than airdrops over the past two and a half years, seven have maintained value above their initial trade price, with a median return of minus 29%. That’s practically the same as the airdrops.

Perhaps the market may fall back in love with exchange launchpads and launchpools.

Base AMM token AERO and RWA asset ONDO were both clear outliers in this very quick analysis, having both gone 10x since they first hit the market through straightforward token launches, even after their recent healthy corrections.

For what it’s worth, the Worldcoin Orb actually presents a fix for many of the woes plaguing airdrops: Allow only WorldID holders to claim the airdrop, relying on biometric-fueled “proof of humanity” to defeat the Sybil bots.

But so far there seems to be little interest. Sad.

— David Canellis

The Works

  • Standard Chartered is plotting a spot crypto desk for bitcoin and ether, Bloomberg reported.
  • The Winklevoss twins, Cameron and Tyler, both said on X that they’re donating $1 million each to former president Donald Trump’s campaign.
  • Rep. French Hill and Rep. Chrissy Houlahan visited Binance executive Tigran Gambaryan in Nigeria where he’s being detained “wrongfully.” 
  • LayerZero token claims opening led to a record daily revenue for Arbitrum, The Block reported.
  • CryptoQuant CEO Ki Young Ju said the German government was selling off portions of its seized bitcoin stash.

The Riff

Q: What should world governments do with seized crypto?

Political answer: Sell it to fund initiatives to combat addiction and homelessness.

Crypto answer: Hold it, don’t touch it. If you can stake it directly to the blockchain, do that and earn a yield.

Correct answer: Spend it on normal budget things. Use it as money. Pay salaries.

If the merchants, services, contractors or whoever else don’t accept crypto, encourage them to start or else the government takes its business elsewhere.

— David Canellis

This is one of those rare (and boring) times where I fully agree with David. 

I think there’s a lot further to go before more countries are ready to hodl any crypto, even bitcoin (sorry El Salvador). 

So, while billions worth of bitcoin being sold is gonna cause some pain, I’m in favor of countries offloading their stashes to not only allow more diamond hands to come in, but also to — hopefully — use the money raised for some sort of good. 

Even just paying salaries is enough for me. 

— Katherine Ross

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Templates.png


ZKPs enable efficient offchain transaction processing and validation, resulting in increased throughput and reduced fees. Solana's ZK Compression leverages ZKPs to minimize onchain storage costs, while Sui's zkLogin streamlines user onboarding by replacing complex key management with familiar OAuth credentials.


Plus, a look at planned ETH ETF fees and how they differ from their BTC counterparts


North Korea suspected in breach of Indian exchange’s multisig wallet


Plus, Sanctum’s CLOUD token has officially launched — but not without problems


It’s not yet clear whether Donald Trump is pumping bitcoin. But an unofficial memecoin is still seeing benefit.


StarkWare takes a step towards making StarkNet for Bitcoin