new report on the operation of the crypto exchange / Habr

Short description

Cryptocurrency exchange FTX lacked cybersecurity experts and stored most clients’ assets in hot wallets rather than the industry standard of cold storage, according to a report filed with the Delaware Bankruptcy Court. The company also assigned security responsibilities to two software developers who were not security specialists. The exchange reportedly mixed client and corporate funds, and did not encrypt customers’ cryptographic keys stored in open documents in the cloud. Almost all of FTX’s expenses and invoices were processed via informal messaging on Slack, leaving no records or only informal records of transfers worth tens of millions of dollars.

new report on the operation of the crypto exchange / Habr

New information has appeared regarding the activity of the FTX crypto exchange. The report, filed with the Delaware Bankruptcy Court, details how security was implemented at the company and the business culture at FTX.

As it turned out, FTX had no cybersecurity experts, and depositors’ assets were protected with minimal safeguards. Despite the fact that the company managed tens of billions of dollars, there was not a single security guard in the staff. Their responsibilities were assigned to two software developers who did not have a specialized education in security, and their priorities were completely different tasks.

FTX has practically never used cold storage, which has become the industry standard. As a rule, crypto-assets are stored in two ways: in hot wallets that are connected to the Internet; and in “cold storage”, which is a self-contained hardware form of storage. Cold storage is considered safe, while hot wallets are not very secure and are often hacked. As Gizmodo writes, usually companies store in “hot wallets” exactly as much cryptocurrency as is necessary to maintain the liquidity of accounts, and most of it in “cold storage.” However, at FTX, almost all of the client’s assets were stored in hot wallets.

The customers’ cryptographic keys were not encrypted and were stored in open documents somewhere in the cloud and were available to all staff.

And the last impressive fact: FTX did not use multi-factor authentication.

A day earlier, in another publication, Gizmodo described FTX’s business culture and atmosphere of fun at the company, where “dissent was suppressed, corporate and client funds were mixed and misused, they lied to third parties about their business and joked about their tendency to lose sight of assets.”

And The Wall Street Journal draws attention to another part of the report, which claims that virtually all of FTX’s expenses and invoices were sent to Slack and confirmed with emojis. “These informal, ephemeral messaging systems were used to approve transfers of tens of millions of dollars, leaving only informal records of such transfers, or no records at all.”

“FTX managed its finances like a monkey swallowing a Jim-Beam,” stated Gizmodo.

Related posts