The new team in charge of the FTX bankruptcy have released their first interim report on the failures of control at FTX and related businesses.
It's 43 pages long, let's go through it 🧵
https://www.courtlistener.com/docket/65748821/1242/1/ftx-trading-ltd/
#FTX #FTXcollapse
Exhibit A – #1242, Att. #1 in FTX Trading Ltd. (Bankr. D. Del., 22-11068) – CourtListener.com
Exhibit(s) (Notice of Filing First Interim Report of John J. Ray III to the Independent Directors on Control Failures at the FTX Exchanges) Filed by FTX Trading Ltd.. (Attachments: # 1 Exhibit A) (Pierce, Matthew) (Entered: 04/09/2023)
The debtors reiterate the stunning lack of recordkeeping and controls at FTX: "Normally, in a bankruptcy involving a business of the size and complexity of the FTX Group, particularly a business that handles customer and investor funds, there are readily identifiable records, data sources, and processes that can be used to identify and safeguard assets of the estate. Not so with the FTX Group."
"Upon assuming control, the Debtors found a pervasive lack of records and other evidence at the FTX Group of where or how fiat currency and digital assets could be found or accessed, and extensive commingling of assets."
FTX executives "stifled dissent, commingled and misused corporate and customer funds, lied to third parties about their business, [and] joked internally about their tendency to lose track of millions of dollars in assets"
Debtors are having to cobble together financial records from what they're able to find in QuickBooks and Slack records 💀
It sounds like the debtors are limited somewhat by the fact that laptops belonging to SBF and other high-level insiders are currently in the hands of the Bahamian Joint Provisional Liquidators, who've been less than cooperative (according to the US team, at least).
Nishad Singh, Gary Wang, and Caroline Ellison have all pled guilty and are cooperating with the DOJ, making it infeasible for the debtors to interview them for bankruptcy purposes until after the criminal trial is over. They have interviewed others, though.
"The FTX Group lacked independent or experienced finance, accounting, human resources, information security, or cybersecurity personnel or leadership, and lacked any internal audit function whatsoever. Board oversight, moreover, was also effectively non-existent."
“if Nishad [Singh] got hit by a bus, the whole company would be done. Same issue with Gary [Wang]."
Some new context on the sudden resignation of Brett Harrison in September 2022: he "resigned following a protracted disagreement", after which his bonus was drastically reduced.
In a separate instance, a lawyer who was hired only three months prior, who learned about the North Dimension bank accounts, was "summarily terminated after expressing concerns about Alameda’s lack of corporate controls, capable leadership, and risk management."
"At the time of the bankruptcy filing, the FTX Group did not even have current and complete lists of who its employees were."
"As a general matter, policies and procedures relating to accounting, financial reporting, treasury management, and risk management did not exist, were incomplete, or were highly generic and not appropriate for a firm handling substantial financial assets."
More QuickBooks shade.
"Fifty-six entities within the FTX Group did not produce financial statements of any kind. Thirty-five FTX Group entities used QuickBooks as their accounting system and relied on a hodgepodge of Google documents, Slack communications, shared drives, and Excel spreadsheets and other non-enterprise solutions to manage their assets and liabilities"
"Approximately 80,000 transactions were simply left as unprocessed accounting entries in catch-all QuickBooks accounts titled 'Ask My Accountant.'"
Sam Bankman-Fried: "Alameda is unauditable... we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history. We sometimes find $50m of assets lying around that we lost track of; such is life"
"Thousands of deposit checks were collected from the FTX Group’s offices, some stale-dated for months, due to the failure of personnel to deposit checks in the ordinary course; instead, deposit checks collected like junk mail."
Transfers in the tens of millions of dollars were approved via Slack emoji, or discussed in disappearing Signal or Telegram chats.
"Only four months after the real estate purchase had closed did the employee enter into a promissory note with Alameda in which he undertook to repay the funds used to purchase the property. Other insiders received purported loans from Alameda for which no promissory notes exist."
Accounts were opened using names and email addresses that were not obviously linked to FTX, using pseudonymous email addresses, in the names of shell companies created for these purposes, or in the names of individuals (including individuals with no direct connection FTX)
"Alameda also transferred funds to insiders to fund personal investments, political contributions, and other expenditures—some of which were nominally 'papered' as personal loans with below-market interest rates and a balloon payment due years in the future."
The document reiterates known allegations about Alameda's "unique ability to trade and withdraw virtually unlimited assets [on FTX], regardless of the size of its account balance and without risk of its positions being liquidated."
The FTX group had no cybersecurity staff whatsoever.
FTX stored private keys to its crypto wallets in AWS ðŸ«
"[FTX] kept virtually all crypto assets in hot wallets... [FTX] undoubtedly recognized how a prudent crypto exchange should operate, because when asked by third parties to describe the extent to which it used cold storage, it lied."
An employee wrote in internal communications that they had been "instructed that this information was not to be shared with regulators unless it was specifically requested. Another FTX Group employee responded that if the question was being posed by 'non-regulators,' then 'we say 10% in hot wallet, and 90% in cold wallet'"
FTX generally didn't use multisigs. When they did, they stored all of the keys together in one place, thus defeating the purpose.
Debtors give multiple examples of irresponsible key storage. Keys to >$100M stored in unencrypted plaintext, for example, or in tools unsuitable for the job. Keys were often accessible by many employees with no auditing. Keys were poorly labeled, with names like "use this".
swear to god my palms just started sweating reading that lol
"Passwords for encrypting the private keys of wallet nodes were stored in plain text, committed to the code repository (where they could be viewed by many and were vulnerable to compromise), and reused across different wallet nodes"
"Over a dozen people had direct or indirect access to the FTX.com and FTX.US central omnibus wallets, which held billions of dollars in crypto assets"
FTX didn't enforce use of multi-factor authentication for Google Workspace or 1Password, which the debtors note is ironic given tweets like this:
FTX "failed by any measure" to perform basic cybersecurity practices including "creation and collection of logs that record and reflect activity within the computing environment, and systems to alert designated personnel to suspicious activity."
"Due to the lack of such controls, the FTX Group did not learn of the November 2022 Breach until the Debtors’ restructuring advisor alerted employees after observing, via Twitter and other public sources, that suspicious transfers appeared to have occurred"
Unsurprisingly given their lack of attention to cybersecurity, FTX didn't use any endpoint protection and failed to patch their software — in one case running software nearly 4 years out of date.
Nishad Singh was supposed to be in charge of cybersecurity, but wouldn't even provide the IT person with ID information of the corporate devices he was using.
Application secrets that could've transferred billions of dollars' worth of crypto assets from hot wallets or third party exchanges were stored in widely accessible source code repositories.
FTX was "highly vulnerable" to supply chain attacks and "did not review, test, or otherwise deploy its code in a manner that sufficiently ensured that it was functioning as expected and free of vulnerabilities that might be leveraged by malicious actors."
While outlining some of the difficulties they faced in identifying and securing crypto assets, the debtors say they "had to engineer technological pathways to transfer many types of assets they identified to cold storage because the FTX Group had never engaged in the computer engineering necessary to make those transfers possible."
The report concludes by stating that the debtors have recovered and secured more than $1.4 billion in crypto assets, and have identified another $1.7 billion they're working to recover.
@molly0xfff it’s almost like the whole thing was a scam….. almost
@masterdon @molly0xfff It really feels more like a bunch of teenagers who are screwing around with no thought of consequences. If it were intended as a scan, you'd think they would be more competant at it.
Molly White
Elon Musk stick
Michael Kohne