The once loved, now disgraced crypto exchange FTX has had further details about the company’s inner workings released in its latest bankruptcy report from April 9th.
Under a section titled “Lack of security controls to protect crypto assets”, the report states that;
“The FTX Group failed to implement basic, widely accepted security controls to protect crypto assets. Each failure was egregious in the context of a business entrusted with customer transactions, and any one of the controls may have prevented the loss in the November 2022 Breach. Taken together, the failures were further magnified, since each control failure exacerbated the risk posed by the others.”
The November breach is in reference to a $650M breach just hours after Sam Bankman-Fried stepped down as CEO.
See Related: Bankrupt FTX Investigates $650M Hack, Users Warned To Delete FTX App
Security, Encryption, Cold Storage, And Authentication
The report details that FTX didn’t have a cybersecurity staff, or a Chief Information Security Officer either. These important jobs meant to protect the billions of dollars of customer assets were relied upon on two software developers – neither of which had formal training within this field.
On top of this, “the FTX Group made little use of cold storage”. Instead they opted for hot storage for “virtually all” assets, which has a direct link to the internet making these wallets hackable, compared to cold storage which remains offline. Using hot wallets is common place in exchanges, this allows liquidity to remain within the exchange, but often just enough is stored to keep assets liquid, the rest is put into cold storage – as it is far safer.
See Related: Sam Bankman-Fried Released on a $250M Bail; Former FTX Executives Plead Guilty
The phrase “not your keys, not your coins” is common place in the crypto industry, keys are the one barrier that prevent a bad player from stealing your assets, so it is understood that they should be protected with the upmost security. Well, the private keys and seed phrases were stored by FTX in plain text documents, no encryption, stored on AWS. These documents also weren’t well organised and were left lying around different locations in their storage.
FTX also “failed to implement in an appropriate fashion even the most widely accepted controls relating to Identity and Access Management,” this is referring to multi-factor authentication which prevents someone accessing your account even if they have your password.
The list goes on, but one thing is clear, if FTX weren’t to blow up when it had, it was bound to happen sooner or later.
See Related: FTX Co-Founder Pleads Guilty To Fraud Charges; Faces Up To 75 Years In Prison
