On Sunday, FTX and its affiliated debtors released their first report which identifies and discusses control failures by FTX Group’s previous management team in critical areas such as management and governance, finance and accounting, digital asset management, information security and cybersecurity.
The debtors also claimed in a 39-page sharply worded report filed with the US Bankruptcy Court in the District of Delaware that FTX lacked fundamental accounting and financial controls and was run by a small group of employees who “stifled dissent.”
“FTX Group was tightly controlled by a small group of individuals who falsely claimed to manage FTX Group responsibly, but in fact showed little interest in instituting oversight or implementing an appropriate control framework,” FTX CEO John J. Ray III said.
The report is based, among other things, on the debtors’ study of terabytes of electronic data and conversations, more than one million documents, and interviews with 19 former FTX Group workers.
“While the FTX Group’s failure is novel in the unprecedented scale of harm it caused in a nascent industry, many of its root causes are familiar: hubris, incompetence, and greed,” they said.
The debtors characterize the FTX leadership pre-bankruptcy to be centered among the founders, Sam Bankman-Fried, Gary Wang, and Nishad Singh. Bankman-Fried, Singh, and Wang held the majority of critical decision-making and authority, and various significant responsibilities were not assigned to other executives or managers, even when such individuals were hired.
“Commenting on Wang’s and Singh’s control over the FTX Group’s technology development and architecture, an FTX Group executive stated that ‘if Nishad [Singh] got hit by a bus, the whole company would be done. Same issue with Gary [Wang]’,” the report said.
The report also disclosed that former FTX.US President Brett Harrison apparently “resigned following a protracted disagreement with Bankman-Fried and Singh over the lack of appropriate delegation of authority, formal management structure, and key hires.”
Similarly, after expressing concerns about Alameda’s lack of corporate controls, capable leadership, and risk management less than three months after being hired and shortly after learning about Alameda’s use of a North Dimension bank account to send money to customers of the FTX exchanges, a lawyer within the FTX Group was summarily terminated.
The debtors also described the FTX founders lacking “independent or experienced finance, accounting, human resources, information security, or cybersecurity personnel or leadership, and lacked any internal audit function whatsoever.” Board oversight, they said, was also effectively non-existent.
The company also did not have an appropriate organizational structure, according to the debtors, noting that “the FTX Group was organized as a web of parallel corporate chains with various owners and interests, all under the ultimate control of Bankman-Fried.”
“At the time of the bankruptcy filing, the FTX Group did not even have current and complete lists of who its employees were,” the report noted.
The debtors said that FTX was operating in 250 jurisdictions, controlled tens of billions of dollars of assets across its various companies, engaged in as many as 26 million transactions per day, and had millions of users at its peak. But despite this, “the FTX Group lacked fundamental financial and accounting controls.”
“Key executive functions, including those of Chief Financial Officer, Chief Risk Officer, Global Controller and Chief Internal Auditor, were missing at some or all critical entities. Nor did the FTX Group have any dedicated financial risk, audit, or treasury departments,” the report said.
According to the investigation, FTX outsourced practically all of its fundamental accounting functions to an unnamed external accounting firm, and the accounting firm appeared to have no specialist knowledge of cryptos or international financial markets.
“There is no evidence that the FTX Group ever performed an evaluation of whether its outside accountants were appropriate for their role given the scale and complexity of the FTX Group’s business, or whether they possessed sufficient expertise to account for the wide array of products in which the FTX Group transacted,” said the report.
Another concern raised in the report was the use of Slack to submit expenses and invoices, which were then approved with emoji.
Fifty-six firms in the FTX Group did not produce any financial statements. Thirty-five FTX Group businesses utilized QuickBooks as their accounting system and managed their assets and obligations using a jumble of Google documents, Slack conversations, shared files, Excel spreadsheets, and other non-enterprise solutions.
“QuickBooks was not designed to address the needs of a large and complex business like that of the FTX Group, which handled billions of dollars of securities, fiat currency, and cryptocurrency transactions across multiple continents and platforms,” the report added.
The report also noted that FTX had no comprehensive, centralized source of information reflecting the purpose of some of its significant accounts, many of which were opened using names and email addresses that were not obviously linked to any of the FTX Group entities.
Additional accounts were made with pseudonymous email addresses, shell corporations set up for this reason, or in the names of individuals not linked to the company.
In addition, “while the FTX Group employed software developers and a single dedicated IT professional, it had no dedicated personnel in cybersecurity.”
The FTX Group also kept the private keys to its crypto assets in its Amazon Web Services-leased cloud computing environment, which includes over a thousand servers and related system architecture, services, and databases.
When it came to intercompany transactions, the FTX Group observed no discernible corporate procedures. Assets and liabilities were routinely transferred between FTX Group firms and insiders without sufficient procedure or paperwork.
“Alameda routinely provided funding for corporate expenditures (e.g., paying salaries and other business expenses) whether for Alameda, for various other Debtors, or for FTX Digital Markets, and for venture investments or acquisitions whether for Alameda or for various other Debtors,” the report added.
The debtors also reported that “extraordinary privileges” were granted to Alameda, noting that “the FTX Group configured the codebase of FTX.com and associated customer databases to grant Alameda an effectively limitless ability to trade and withdraw assets from the exchange regardless of the size of Alameda’s account balance, and to exempt Alameda from the auto-liquidation process that applied to other customers.”
In an internal communication, Bankman-Fried described Alameda as “hilariously beyond any threshold of any auditor being able to even get partially through an audit.”
“Alameda is unauditable. I don’t mean this in the sense of ‘a major accounting firm will have reservations about auditing it’; I mean this in the sense of ‘we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.’ We sometimes find $50m of assets lying around that we lost track of; such is life,” the report quoted Bankman-Fried.
The report also claimed that FTX failed to implement “basic, widely accepted” security safeguards to protect its crypto assets.
These include storing practically all crypto assets in hot wallets that are connected to the internet, making them more vulnerable to theft.
“The FTX Group undoubtedly recognized how a prudent crypto exchange should operate, because when asked by third parties to describe the extent to which it used cold storage, it lied,” the report said.
It points to a response by Bankman-Fried in 2019 to a customer query on Twitter, answering that FTX use the “standard hot wallet/cold wallet setup.”
“These representations were false. None of FTX.com, FTX.US, or Alameda had a system in place to monitor or move to cold wallets crypto assets in excess of the amount needed to cover two days of trading activity, and they did not use offline, air-gapped, encrypted, and geographically distributed laptops to secure crypto assets,” said the report.
In fact, FTX employees are also uncertain themselves of the firm’s use of cold storage, the report said. One employee noted “it’s ab[ou]t 70% cold and 30% hot,” adding he had been instructed that this information was not to be shared with regulators unless it was specifically requested. Another employee said that if non-regulators were asking the question, they respond with “10% in hot wallet, and 90% in cold wallet.”
It also failed to adequately enforce the use of multi-factor authentication (MFA) among its employees and corporate infrastructure. It did not, for example, need multi-factor authentication for Google Workspace or its password management tool.
“The deficiency is ironic given that the FTX Group recommended that customers use MFA on their own accounts, and Bankman-Fried, via Twitter, publicly stressed the importance of ‘2FA [Two- factor authentication],’ a form of MFA, for crypto security,” the report highlighted.
The debtors also said that FTX failed to “employ multi-signature capabilities.”
“In the few instances in which the FTX Group even attempted to employ these controls, it misapplied them: for each wallet, the FTX Group stored together, in one place, all three private keys required to authorize a transfer such that any individual who had access to one had access to all the keys required to transfer the contents of the wallet, thus defeating the purpose of the controls,” said the report.
Related, FTX also allegedly “failed to manage or implement any appropriate system to attempt to manage private keys.” The debtors cited examples of this failure, including identifying “private keys to over $100 million in Ethereum assets stored in plain text and without encryption on an FTX Group server,” and “private keys… [enabling] access to tens of millions of dollars in crypto assets that were stored in plain text and without encryption.”
Alameda also lacked appropriate documentation as to the description or usage of private keys, according to the debtors, citing an example key for $600 million dollars’ worth of crypto assets that “was titled with four non-descriptive words, and stored with no information about what the key was for, or who might have relevant information about it.”
“The Debtors identified other keys to millions of dollars in crypto assets that were simply titled ‘use this’ or ‘do not use,’ with no further context,” said the report.
FTX’s debtors said they have “recovered and secured in cold storage over $1.4 billion in digital assets, and have identified an additional $1.7 billion in digital assets that they are in the process of recovering.”
Regulators have already sued Bankman-Fried for the crypto exchange’s collapse and a trial is set for October. While the founder has pled not guilty, his cohorts–Alameda CEO Caroline Ellison, Wang, and Singh–have all pled guilty to charges and are working with authorities to build the case.
Information for this briefing was found via the sources mentioned. The author has no securities or affiliations related to this organization. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.