Part 3: The Hacks

Part 3: The Hacks

OR

How poor security practices at Alameda Research caused the company to lose hundreds of millions of dollars.

Since the collapse of FTX/Alameda, there's been no shortage of reporting about the paucity of risk management structures at both companies. Bankruptcy lawyer John Ray III famously described it as a "complete failure of corporate controls". What did this look like concretely?

SBF believed that the single most important thing for a startup like Alameda or FTX was being able to move very, very fast. So much so that he decided to ignore engineering and accounting practices that are considered standard at tech companies and financial services firms.

This meant virtually no code testing and incomplete balance accounting. Safety checks for trading would only be added on an as-needed basis. Blockchain private keys and exchange API keys were stored in plaintext in a file that several employees could access.

These decisions allowed us to move at breathtaking speed. Developer velocity that would make any Silicon Valley software engineer shed tears of joy. However the flip side of this tradeoff was that we'd have a major security incident once every few months:


Incident #1:

An Alameda trader got phished while trying to complete a DeFi transaction by accidentally clicking a fake link that had been promoted to the top of Google Search results

Cost: $100M+

Postmortem: Implemented extra checks on our internal wallet software


Incident #2:

We started yield farming on a new blockchain of questionable legitimacy. The creator ended up holding our funds hostage, and we had months of prolonged negotiations

Cost: $40M+

Postmortem: Decided to be more careful about which chains/protocols we trade on


Incident #3:

An old version of our plaintext keys file was leaked, likely by a former employee. The attacker transferred funds out of some exchanges and placed bad orders

Cost: $50M+

Postmortem: Migrated our secret keys to a more secure storage system


These are just a few incidents - there's many more, including from before my time at the company. FTX had its own issues, including the MobileCoin fiasco that Gary recently testified about during the trial.

Was the tradeoff worth it? Sam certainly seemed to think so. Even after all these incidents, no serious attempt was made to change the way we operated.

It's the kind of risk-taking that seems to work... until it doesn't.

[Check out this thread on Twitter]