Debtors Report Reveals Severe FTX Security Flaws

Reading Time: 2 minutes
  • A Debtors report has revealed the staggering lack of proper controls at FTX
  • The company employed single-signature wallets to protect billions of dollars and stored private keys in plain text
  • Further transparency reports may shed further light on FTX incompetence

A Debtors report has revealed severe security flaws inherent within FTX that could have ended up taking down the exchange had it not collapsed in the way it did. A press release announcing the publishing of the report said that it included areas of failure including “management and governance, finance and accounting, digital asset management, information security, and cybersecurity”. These included private keys stored in plain text, single-signature wallets protecting billions of dollars, and wallet labeling that offered no indication of who the holder of the contents was.

Hundreds of Millions of Dollars Left Unprotected

It was already known within the crypto space that FTX was a shambles behind the scenes, but some of the nuggets presented by the Debtors highlight just how bad things really were, and how vulnerable the once $32 billion-valued company actually was. Prime among these was the fact that, although the risks of such a practice were well-known, FTX.com, FTX.US, and Alameda stored private keys and seed phrases in an unstructured manner across various locations in the FTX Group’s computing environment, using insecure methods without any documented or standardized procedures.

These practices led to private keys to Ethereum assets worth over $100 million being stored in plain text without any encryption; credentials to third-party exchanges, which enabled access to tens of millions of dollars in crypto assets, stored in plain text and without encryption across multiple servers; and single-signature-based private keys to billions of dollars in crypto assets being stored in various online password vaults, none of which were secure enough for the purpose and access to which was spread around various FTX employees.

CEO Blames Former Leadership

The Debtors also found that Alameda Research, FTX’s trading wing, did not have sufficient documentation regarding the description or utilization of private keys. One instance of this was a key for crypto assets worth $600 million, which was labeled with four nondescript words and stored without any information regarding its purpose or who might have pertinent knowledge about it. The Debtors also discovered other keys to crypto assets worth millions of dollars that were titled only as “use this” or “do not use,” lacking any additional context.

John J. Ray III, Chief Executive Officer and Chief Restructuring Officer of the FTX Debtors, said that the report highlighted how FTX was “tightly controlled by a small group of individuals who falsely claimed to manage FTX Group responsibly, but in fact showed little interest in instituting oversight or implementing an appropriate control framework.”

He added that this report will be the first of a number that will be released regarding the state of the exchange “in the spirit of transparency”.

Share