‘Hubris’, hot wallets and missing millions: FTX’s new bankruptcy report

A new report related to the bankruptcy of FTX and its affiliated companies provided fresh detail as to how dysfunctional Sam Bankman-Fried’s global crypto empire was.

The report, prepared by the company’s caretaker CEO John Ray III and an outside legal team, adds more detail to the chaos of Bankman-Fried’s business practices, which it ascribes to "hubris, incompetence, and greed."

Here are highlights from the 43 page document: 

‘Hot’ wallets were a hot mess 

Had Bankman-Fried not been accused of fraudulent activity, it’s possible FTX and its affiliates would’ve failed due to massive security concerns outlined in the fresh report. Keys to hot wallets holding tens of millions of dollars-worth of assets weren’t securely stored, and the reliance on hot wallets themselves goes against standard industry practice, the report says. 

“[T]he FTX Group kept virtually all crypto assets in hot wallets, which are far more susceptible to hacking, theft, misappropriation, and inadvertent loss than cold wallets because hot wallets are internet-connected,” the report said. “Prudently-operated crypto exchanges keep the vast majority of crypto assets in cold wallets, which are not connected to the internet, and maintain in hot wallets only the limited amount necessary for daily operation, trading, and anticipated customer withdrawals.”

In the report, Ray alleges that Bankman-Fried and others “lied” when asked about their security practices by customers and counterparties. 

Those wallets did not require multisignature capabilities to transfer assets, meaning any one employee could remove millions of dollars-worth of assets, and keys to wallets weren’t well-protected. 

FTX’s current management identified private keys for different wallets, including one with over $100 million in “Ethereum assets”, stored in plain text without encryption and easily accessible. Separately, private keys to billions of dollars-worth of additional digital assets were stored within an Amazon Web Services password manager that “many FTX Group employees” had access to and could transfer those assets by themselves, whenever they wanted to. 

Alameda Research, the sister hedge fund owned by Bankman-Fried, had similar security issues. 

“For example, a key for $600 million dollars’ worth of crypto assets was titled with four non-descriptive words, and stored with no information about what the key was for, or who might have relevant information about it. [Bankman-Fried companies] identified other keys to millions of dollars in crypto assets that were simply titled ‘use this’ or ‘do not use,’ with no further context.”

To punctuate its point, the report notes that $432 million worth of digital assets were stolen from FTX by a malicious actor the night the majority of the crypto empire was placed into bankruptcy by Bankman-Fried. The report says that $1.4 billion of digital assets have been recovered and secured in cold wallet storage, but have identified an additional $1.7 billion in digital assets that still need to be recovered. 

Blockchain analysis firms TRM and Chainalysis have been contracted to assist in tracking down those assets. 

FTX and Alameda’s digital assets could’ve been lost forever

Aside from being highly vulnerable to theft or hacking, a number of wallet keys weren’t backed up. 

“Many FTX Group private keys were stored without appropriate backup procedures such that if the key was lost, the associated crypto assets would likely be permanently lost,” putting the world’s then-second largest digital asset firm in the same position as individual crypto owners who forgot to transfer their private key over from an old laptop. 

“Because the FTX Group failed to maintain appropriate records of access to private keys, employees or others could potentially copy those keys to their own electronic devices and transfer the associated crypto assets without detection,” the report continues. 

There’s always (FTX) money in Alameda

Alameda Research, the investment firm co-founded by Bankman-Fried and Wang prior to FTX, had no idea how much money it had, or didn’t have. But the firm kept operating through money it took from FTX in return for IOUs, if anything at all. 

“Alameda often had difficulty understanding what its positions were, let alone hedging or accounting for them,” the report reads. “For the vast majority of assets, Alameda’s recordkeeping was so poor that it is difficult to determine how positions were marked.”

Bankman-Fried highlighted Alameda’s black box nature in an internal communication included in the report submitted to court. 

“‘Alameda is unauditable,’” Bankman-Fried wrote. “‘I don’t mean this in the sense of ‘a major accounting firm will have reservations about auditing it’; I mean this in the sense of ‘we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.’”

To emphasize this, he added, “We sometimes find $50m of assets lying around that we lost track of; such is life.”

The former FTX CEO used Alameda as his personal piggybank, transferring tens of millions to a personal bank account in 2021 and 2022 but listing the transactions as “investments-cryptocurrency.” 

But funds from FTX.com, which was the primary retail investment platform owned by Bankman-Fried, kept his investment firm afloat. 

“[T]he FTX Group configured the codebase of FTX.com and associated customer databases to grant Alameda an effectively limitless ability to trade and withdraw assets from the exchange regardless of the size of Alameda’s account balance, and to exempt Alameda from the auto-liquidation process that applied to other customers,” the report reads. It notes that existing controls by “financial institutions and exchanges in established financial markets” would have prevented the withdrawals. 

The backdoor from FTX.com to Alameda existed since July 31, 2019, but Bankman-Fried tweeted that “‘just like everyone else’s’” and “‘Alameda’s incentive is just for FTX to do as well as possible.’”

The backdoor inserted into FTX.com’s operational code allowed Alameda a line of credit with FTX of up to $65 billion. 

An investigation by caretaker FTX group leadership into Alameda remains ongoing, the report notes. 

What decentralization?

Decision-making at FTX was so tightly-controlled by a small group of executives, the report says, that an executive said if either co-founder Gary Wang or engineering head Nishad Singh were incapacitated then the whole multi-billion dollar operation would effectively end, due to the lack of technical know-how among other members of leadership, including Bankman-Fried. 

The court-submitted document quotes an anonymous FTX executive saying, “if Nishad [Singh] got hit by a bus, the whole company would be done. Same issue with Gary [Wang].”

FTX.US President Brett Harrison apparently resigned over the lack of delegation, as well as “protracted disagreement” with Bankman-Fried and Wang over formal management structure and key hires at the U.S. affiliate that turned out to be less independent than advertised. 

Harrison’s bonus “was drastically reduced and senior internal counsel instructed him to apologize to Bankman-Fried for raising the concerns, which he refused to do,” the report claims. 

Slacking for millions + Who does what?

Crypto assets weren’t the only parts of the company that FTX and affiliated companies couldn’t keep track of. Executives also didn’t know who they employed. 

“At the time of the bankruptcy filing, the FTX Group did not even have current and complete lists of who its employees were,” the report says. There was also no record of how companies related to each other within the over 100 company crypto empire, or who owned which entity. 

Corporate messages were sent using Signal and Telegram, with the auto-disappearing function, making it tough to verify what was said. Meanwhile tens of millions of company spending was requested or approved by emojis on Slack, “leaving only informal records of such transfers, or no records at all.”

More to come

Ray, as well as FTX’s bankruptcy advisers and lawyers, say they’ll continue to unpack the mess of record-keeping they outline – a mess that helps explain the large fees being paid out to them.

The next court date in the bankruptcy case is April 12.