FTX has filed a new report as part of its ongoing bankruptcy that discusses how failures of internal controls contributed to the firm’s collapse.
The report describes how FTX was led by Sam Bankman-Fried (SBF), with other executives almost universally deferring to him. The report also highlights unmanaged so-called ‘key person risk’ with one executive saying, “If Nishad (Singh, the firm’s director of engineering) got hit by a bus, the whole company would be done. Same issue with Gary.”
FTX also lacked an internal audit team, and many of its entities worked without key financial and risk personnel including chief financial officers, chief risk officers, or a global controller. However, before FTX’s potential listing on NASDAQ, the company needed to demonstrate that it had internal controls in place. As a result, employees were instructed to adapt versions provided by FTX’s accountants to their own procedures in less than a day.
According to the report, no employees were ever trained to use these procedures.
FTX wallets weren’t multi-sig
Furthermore, FTX had no personnel dedicated to cybersecurity and stored the private keys to its crypto assets ‘hot’ in Amazon Web Services (AWS). This ran contrary to SBF and FTX’s insistence that the company operated separate hot and cold wallets.
Alarmingly, these wallets were not multi-signature wallets, and many private keys and confidential account details were stored in plain text without encryption. Not only that, many had no backup procedure meaning they could easily be lost.
Alameda keys were sometimes simply labeled ‘use this’ or ‘do not use.’ The passwords for the nodes maintaining many of these wallets were stored in plain text and committed to the code repository, as well as being frequently reused between nodes.
FTX did a poor job of maintaining appropriate privileges and separations between its systems. Many users had access to the various wallets, instead of it being restricted to the smallest possible number of users and the company even failed to enforce 2FA for its password-management system.
Infrastructure was also shared between FTX, FTX US, and Alameda preventing these entities from being appropriately segregated. The companies also lacked alerts to flag when any of its wallets or their root AWS credentials were used.
FTX’s software deployment process also neglected to implement protections to ensure the software being deployed was safe to use, failing to check third-party software and using only minimal code review and testing procedures.
The exchange’s accounting system is also described as inadequate for the scale of its operations. It relied on Quickbooks, Google Documents, Slack, and basic spreadsheets to track its financial situation, with 56 entities not producing financial statements of any kind. Other reports were not produced regularly or on a timely basis and review of the documents didn’t occur. Key documents including documenting related party loans weren’t accurate or present.
The report further describes how thousands of ‘deposit checks’ weren’t deposited regularly and would accumulate like ‘junk mail.’
According to the report, Alameda was often unaware of its own positions and it wasn’t possible to determine how many of the positions were marked. One ‘portfolio summary’ reportedly contained the instruction for Alameda employees to “come up with some numbers? idk.” SBF described Alameda as “hilariously beyond any threshold of any auditor being able to even partially get through an audit.”
He added that “we are only able to ballpark what its balances are” and “sometimes find $50 million of assets lying around that we lost track of; such is life.”
Alameda was given an unlimited ability to trade
The report talks about how the FTX group had over 1,000 accounts on crypto exchanges around the world, but kept no centralized record of where they were or how many assets they held. Interestingly, many of the accounts were created with email addresses, names, and shell companies that appeared to have no connection to FTX.
Many of the accounting difficulties were compounded by the fact that assets and liabilities seemed to move fluidly across the enterprise with no respect for formal corporate boundaries or ensuring there was adequate documentation.
The report also re-iterates the many special privileges that Alameda was given for trading on FTX. These included having an effectively unlimited ability to trade and withdraw assets, including customer assets, from FTX. It was also exempted from auto-liquidation. Other market makers were sometimes granted credit lines of up to $150 million if their balance went below zero, but none were allowed to withdraw in that state and Alameda alone had a credit line of $65 billion.
The report also re-tells the story of Brett Harrison’s resignation from FTX US, highlighting how after raising concerns about structure and controls at FTX US, his bonus was reduced and he was told to apologize.
The report asserts that the debtors in possession have so far been able to identify over $1 billion worth of crypto assets which were largely undocumented in the records. The process of identifying these included developing software to identify keys that were stored in the computing environment. Millions of documented keys were eventually identified.
FTX also apparently failed to establish appropriate controls and procedures while enabling Alameda to effectively gut the exchange.
SBF has been indicted on 12 counts so far, and has plead not guilty.