Today, FTX’s new management, led by CEO John Ray III, issued its first interim report on the crypto exchange’s control failures. There is a lot to take in.
The 45-page report, released on Sunday afternoon by FTX Trading Ltd and its affiliated debtors, describes FTX’s sloppy record-keeping, non-existent cybersecurity defenses, and lack of expertise in critical areas such as finance.
One of the more intriguing items involved Alameda Research, the trading firm that allegedly had access to billions of dollars in customer funds held by FTX. According to the report, Alameda “frequently had difficulty understanding its positions, let alone hedging or accounting for them.” According to the report, former CEO Sam Bankman-Fried, who is now under house arrest and facing a slew of criminal charges, described Alameda in internal communications as “hilariously beyond any threshold of any auditor being able to even partially complete an audit.”
“Alameda is unauditable,” he continued. I don’t mean ‘a major accounting firm will have reservations about auditing it,’ but rather ‘we can only guess at what its balances are, let alone something like a comprehensive transaction history.’ We occasionally discover $50 million in assets that we have lost track of; such is life.”
The report also claims that most major decisions were closely controlled by Bankman-Fried and top executives Gary Wang, CTO, and engineering director Nishad Singh — both of whom are now cooperating with authorities after pleading guilty to charges. Wang and Singh had such sway over FTX’s architecture that one former executive said, “If Nishad [Singh] got hit by a bus, the whole company would be done.” “The same thing happened with Gary [Wang],” according to today’s report.
According to the report, FTX had “no dedicated personnel” in cybersecurity, leaving such matters to Singh and Wang, who lacked the experience and training to handle the firm’s complex cybersecurity needs.
The management of private keys and seed phrases, which are used to control access to crypto assets, was shambolic, according to the report. In one case, private keys for more than $100 million in Ethereum assets were stored in plain text without encryption on an FTX Group server; in another, single-signature-based keys controlling access to billions of dollars in crypto assets were stored in AWS Secrets Manager or a password vault, both of which were accessible by numerous employees; and many private keys were stored without backup procedures, implying that funds would be permanently lost if the associated key was lost. The list goes on and on.
In a statement accompanying today’s report, John Ray III, who succeeded Bankman-Fried as CEO of FTX after its collapse, said, “In this report, we provide details on our findings that FTX Group failed to implement appropriate controls in areas that were critical for safeguarding cash and crypto assets.” FTX Group was tightly controlled by a small group of individuals who falsely claimed to be responsible FTX Group managers but had little interest in instituting oversight or implementing an appropriate control framework.