Empire Newsletter: What CertiK-Kraken says about crypto exchange security

Plus, airdrops have a branding problem

article-image

rafapress/Shutterstock modified by Blockworks

share

Today, enjoy the Empire newsletter on Blockworks.co. Tomorrow, get the news delivered directly to your inbox. Subscribe to the Empire newsletter.


Tom vs. Jerry

I had more questions than answers (ah, the life of a journalist) about the Kraken and CertiK situation.

While Kraken says the funds have been returned, I picked up the phone and called someone with a vast security background.

Enter Charles Guillemet, Ledger’s chief technology officer, who had some thoughts on the whole incident and white-hat hackers in general.

Yesterday, I highlighted some takes around the use of Tornado Cash by the US-based CertiK, but that’s not the only thing that caught Guillemet’s eye. He says the withdrawal of XMR — privacy coin Monero in case you’ve skipped some of David’s previous segments — is suspicious because, well, it’s a privacy coin.

Add ChangeNow, a self-styled non-custodial exchange, into the mix. In Guillemet’s experience, ChangeNow is generally one of the top picks for attackers who are trying to hide crypto. It’s often used by bad actors because it doesn’t require proper know-your-customer checks before facilitating swaps from one token to another.

It was also weird that there were video calls between CertiK and Kraken. And don’t even get him started on the millions withdrawn (he maintains you can exploit as little as $5 to prove the bug and then report it for a bounty). 

However, the five-day time period in which the researchers were testing the exploit isn’t that strange. 

Guillemet, who started off in the broader cybersecurity world before catching the crypto bug in 2017, said the “behavior that we see in blockchain and crypto when it comes to white hat [hacking] is really weird from my standpoint.”

“Sometimes you have a white hat, supposedly, who finds a vulnerability on some smart contract. It completely drains the smart contract and then gives back like 90%, choosing its reward [of] 10%. This kind of behavior, for me, is extortion. It seems to be okay. It seems to be white hat behavior,” Guillemet said.

“But I completely disagree with this. When you do security research, you don’t choose your reward. You don’t do extortion. What you do is report the vulnerability and hope for a reward […] This is how white hat should operate. And in crypto, it’s not always the case, and it’s a bit disturbing for me, and it’s also disturbing for other security guys in the field,” he continued.

With the matter more-or-less resolved, we may never get satisfying answers to the many unanswered questions about what exactly happened. CertiK said it wasn’t trying to exploit or “extort” funds from the exchange, unlike claims made by Kraken’s CSO Nick Percoco.

Let’s look at the bigger picture here. In this case, Kraken has assured that user funds were safe the entire time, and the millions that were briefly missing were taken from its treasury.

But does this mean users should be keeping their crypto on exchanges?

The simple answer from Guillemet is no. 

“As a user, you shouldn’t use an exchange to store your crypto. If you need to store your crypto, you need a wallet and you need to self-custody,” he said. It may seem obvious coming from Guillemet, a CTO of a wallet company, but his point is that exchanges aren’t made to store your crypto. 

(So if you told your family about crypto at the dinner table a few years ago and they bought into it, maybe just double-check that they have it stored away safe and sound.)

The simplest way to improve the space is obviously investing in security, but the more difficult path forward is for security teams to stay humble, Guillemet said. 

“Attackers will get better and better and we as an ecosystem must be humble and always raise the bar for security because this is a cat-and-mouse game and the stakes are getting higher.”

— Katherine Ross

Data Center

  • BTC is at monthly lows, down nearly 4% to $63,680.
  • ETH dominance jumped 17.88% to 18.77% in the past week as altcoins drained.
  • Base memecoin BRETT has flipped Solana dog coin BONK, worth $1.4 billion to $1.34 billion.
  • CEXs have liquidated margin traders for $133.44 million in the past day, 75% of them were long positions.
  • Arbitrum and Blast are neck-and-neck for weekly derivatives volume, $11.99 billion to $11.34 billion. Hyperliquid follows with $7.6 billion. 

Don’t call it an airdrop

Airdrops have a branding problem.

LayerZero really wants you to know its token launch is not an airdrop. Its new token, ZRO, is a reward for donating $0.10 in crypto toward Ethereum layer-1 development. The LayerZero foundation says it will match all contributions up to $10 million.

The team’s intentions may have been in the right place, but the market doesn’t seem to care for it. The not-airdropped ZRO has taken a beating, down 30% since yesterday’s launch.

“Airdrops” were intended to help distribute token supplies equitably while inspiring a community to build around the protocol. 

But, as LayerZero explained in its blog post, airdrop farming and automated Sybil campaigns are now so efficient at collecting free tokens that too much supply goes to parties with little interest in the long-term success of the projects.  

Still, despite all their problems, token launches via airdrops are really common. Of the current top 200 or so cryptocurrencies by market cap, around 50 have been launched since January 2022. 

Half of those were initially distributed via an airdrop, worth between 1.5% and 20% of the total supply. And if you remove memecoins, Runes and Ordinals, seven out of the remaining 13 airdrop tokens have risen in price since they launched. Not a bad strike rate, although their median return to date is minus 30%.

It’s difficult to properly compare token airdrops as they’re usually apples to oranges, with all sorts of tokenomics quirks and utilities. 

But comparing performance of airdropped tokens against other kinds of token generation events — generally launchpads and initial coin offerings — suggests it may just be difficult to launch a token that goes up at all.

Of the 15 tokens to launch in ways other than airdrops over the past two and a half years, seven have maintained value above their initial trade price, with a median return of minus 29%. That’s practically the same as the airdrops.

Perhaps the market may fall back in love with exchange launchpads and launchpools.

Base AMM token AERO and RWA asset ONDO were both clear outliers in this very quick analysis, having both gone 10x since they first hit the market through straightforward token launches, even after their recent healthy corrections.

For what it’s worth, the Worldcoin Orb actually presents a fix for many of the woes plaguing airdrops: Allow only WorldID holders to claim the airdrop, relying on biometric-fueled “proof of humanity” to defeat the Sybil bots.

But so far there seems to be little interest. Sad.

— David Canellis

The Works

  • Standard Chartered is plotting a spot crypto desk for bitcoin and ether, Bloomberg reported.
  • The Winklevoss twins, Cameron and Tyler, both said on X that they’re donating $1 million each to former president Donald Trump’s campaign.
  • Rep. French Hill and Rep. Chrissy Houlahan visited Binance executive Tigran Gambaryan in Nigeria where he’s being detained “wrongfully.” 
  • LayerZero token claims opening led to a record daily revenue for Arbitrum, The Block reported.
  • CryptoQuant CEO Ki Young Ju said the German government was selling off portions of its seized bitcoin stash.

The Riff

Q: What should world governments do with seized crypto?

Political answer: Sell it to fund initiatives to combat addiction and homelessness.

Crypto answer: Hold it, don’t touch it. If you can stake it directly to the blockchain, do that and earn a yield.

Correct answer: Spend it on normal budget things. Use it as money. Pay salaries.

If the merchants, services, contractors or whoever else don’t accept crypto, encourage them to start or else the government takes its business elsewhere.

— David Canellis

This is one of those rare (and boring) times where I fully agree with David. 

I think there’s a lot further to go before more countries are ready to hodl any crypto, even bitcoin (sorry El Salvador). 

So, while billions worth of bitcoin being sold is gonna cause some pain, I’m in favor of countries offloading their stashes to not only allow more diamond hands to come in, but also to — hopefully — use the money raised for some sort of good. 

Even just paying salaries is enough for me. 

— Katherine Ross


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research Report Templates (6).png

Research

In recent months, a number of highly accretive developments were implemented across the protocol to improve fee capture, expand product functionality, and ultimately drive value accrual to the RUNE token, with more upgrades on the immediate horizon. These developments include hiking the minimum swap fee parameter to increase revenue, adding a Burn System Income Lever to reduce the RUNE supply, the addition of COSM-WASM smart contracting and IBC to enable an application layer, new chain integrations, and more.

article-image

Former IRS agent and Binance executive Tigran Gambaryan will remain imprisoned in Nigeria’s Kuje prison

article-image

When Permissionless III wraps on Friday, there will be 26 days left until the 2024 presidential election

article-image

Plus, an update from the ground in Salt Lake City at Permissionless III

article-image

The US regulator accused the crypto market-making firm of acting as an unregistered dealer

article-image

Customers can pay merchants in USDC or USDP on Ethereum, Solana, and Polygon, while US-based merchants are paid in dollars