Skip to main content

The new management of FTX, headed by CEO John Ray III, today released its first interim report on control failures at the collapsed crypto exchange. There is a lot to digest.

The 45-page report — published Sunday afternoon by FTX Trading Ltd and its affiliated debtors — describes in painstaking detail FTX’s slapdash record-keeping, near non-existent cybersecurity defenses and its sparse expertise in key areas like finance.

One of the more eye-catching items concerned Alameda Research, the trading firm that allegedly had access to billions of dollars in customer funds stored with FTX. The report states that Alameda “often had difficulty understanding what its positions were, let alone hedging or accounting for them.” Former CEO Sam Bankman-Fried, now under house arrest and facing a litany of criminal charges, described Alameda in internal communications as “hilariously beyond any threshold of any auditor being able to even get partially through an audit,” according to the report.

He went on: “Alameda is unauditable. I don’t mean this in the sense of ‘a major accounting firm will have reservations about auditing it’; I mean this in the sense of ‘we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.’ We sometimes find $50m of assets lying around that we lost track of; such is life.”

If a double decker bus

Other striking items in the report include the claim that most major decision-making was closely controlled by Bankman-Fried and top executives Gary Wang, CTO, and engineering director Nishad Singh — who are both now cooperating with authorities having plead guilty to charges. Such was Wang and Singh’s control over FTX’s architecture that one former executive stated, “if Nishad [Singh] got hit by a bus, the whole company would be done. Same issue with Gary [Wang],” according to today’s report.

The report also claimed that FTX had “no dedicated personnel” in cybersecurity, leaving such matters in the hands of Singh and Wang, who lacked the experience and training to handle the firm’s complex cybersecurity needs.

The management of private keys and seed phrases — used to control access to crypto assets — was shambolic, according to the report. In one example, private keys for over $100 million in Ethereum assets were stored in plain text without encryption on an FTX Group server; in another, single-signature-based keys that controlled access to billions of dollars in crypto assets were stored in AWS Secrets Manager or a password vault, each accessible by numerous employees; and many private keys were stored without back-up procedures, meaning funds would be permanently lost if the associated key was. The list goes on.

John Ray III, who took over from Bankman-Fried as CEO of FTX after its collapse, said in a statement accompanying today’s report, “In this report, we provide details on our findings that FTX Group failed to implement appropriate controls in areas that were critical for safeguarding cash and crypto assets. FTX Group was tightly controlled by a small group of individuals who falsely claimed to manage FTX Group responsibly, but in fact showed little interest in instituting oversight or implementing an appropriate control framework.”