FTX’s first interim report since bankruptcy reveals massive failures in management, finance and security

Editor’s Note: With so much market volatility, stay on top of daily news! Get caught up in minutes with our speedy summary of today’s must-read news and expert opinions. Sign up here!

(Kitco News) –
The new management team of FTX, led by John Ray, issued their long-awaited interim report on the state of the exchange and its sister firm, hedge fund Alameda Research. The severity and scale of the failures it outlines helps to explain why it took nearly five months to the day for the first report to be filed.

“The Debtors have had to overcome unusual obstacles due to the FTX Group’s lack of appropriate record keeping and controls in critical areas, including, among others, management and governance, finance and accounting, as well as digital asset management, information security and cybersecurity,” they wrote.

“Normally, in a bankruptcy involving a business of the size and complexity of the FTX Group, particularly a business that handles customer and investor funds, there are readily identifiable records, data sources, and processes that can be used to identify and safeguard assets of the estate. Not so with the FTX Group.”

The new management wrote that upon assuming control, they discovered “a pervasive lack of records and other evidence at the FTX Group of where or how fiat currency and digital assets could be found or accessed, and extensive commingling of assets.” This required them “to start from scratch, in many cases, simply to identify the assets and liabilities of the estate, much less to protect and recover the assets to maximize the estate’s value.”

The difficulty of their work was exacerbated by the fact that they assumed control “amidst a massive cyberattack, itself a product of the FTX Group’s lack of controls, that drained approximately $432 million worth of assets on the date of the bankruptcy petition […] and threatened far larger losses absent measures the Debtors immediately implemented to secure the computing environment.”

The report claims that FTX “was tightly controlled by a small group of individuals who showed little interest in instituting an appropriate oversight or control framework.” They wrote that Bankman-Fried and his inner circle “stifled dissent, commingled and misused corporate and customer funds, lied to third parties about their business, joked internally about their tendency to lose track of millions of dollars in assets, and thereby caused the FTX Group to collapse as swiftly as it had grown.”

“In this regard, while the FTX Group’s failure is novel in the unprecedented scale of harm it caused in a nascent industry, many of its root causes are familiar: hubris, incompetence, and greed.”

According to the report, the volume of records and other data to be sifted through is as incoherent as it is massive. “To date, the Debtors have reviewed over one million documents collected from Debtor entities around the world, including communications (e.g., Slack, Signal, email) and other documents (e.g., Excel spreadsheets, Google Drive documents),” and they must also piece together an understanding of FTX customers’ positions and transactions “which is housed in databases that are over one petabyte (i.e., 1000 terabytes) in size.”

They have also interviewed 19 employees of the FTX Group “who worked in Policy and Regulatory Strategy, Information Technology, Controllers, Administration, Legal, Compliance, and Data Science and Engineering, among others,” and they gathered “substantial information through counsel” from five others. These interviews did not include Nishad Singh, Gary Wang, or Caroline Ellison, who have pleaded guilty to charges and are cooperating with the U.S. Justice Department, because “it is generally not feasible for the Debtors to interview them on key subjects until after the ongoing criminal prosecution of Bankman-Fried has concluded.”

On the topic of internal controls, the report said that the FTX Group’s control failures “created an environment in which a handful of employees had, among them, virtually limitless power to direct transfers of fiat currency and crypto assets and to hire and fire employees, with no effective oversight or controls.” Bankman-Fried, in particular, “deprioritized or rejected advice to improve the FTX Group’s control framework, exposing the exchanges to grave harm from both external bad actors and their own misconduct.”

The same was true for management and governance, which was essentially limited to Singh, Wang, and Bankman-Fried, with the latter “having the final voice in all significant decisions,” they wrote. “These three individuals, not long out of college and with no experience in risk management or running a business, controlled nearly every significant aspect of the FTX Group,” they noted, and quoted an unnamed FTX executive as saying that “if Nishad [Singh] got hit by a bus, the whole company would be done. Same issue with Gary [Wang].”

They characterized FTX’s board oversight as “effectively non-existent.”

The report also confirmed former FTX.US CEO Brett Harrison’s earlier revelations of Bankman-Fried’s tyrannical and retaliatory leadership style. “Efforts to clarify corporate responsibilities and enhance compliance were not welcome and resulted in backlash,” they wrote.

“For example, the President of FTX.US resigned following a protracted disagreement with Bankman-Fried and Singh over the lack of appropriate delegation of authority, formal management structure, and key hires at FTX.US; after raising these issues directly with them, his bonus was drastically reduced and senior internal counsel instructed him to apologize to Bankman-Fried for raising the concerns, which he refused to do.”

They also shared a new story of conscientious concerns regarding Alameda’s actions being met with retaliation after a newly-hired lawyer discovered the hedge fund was using a North Dimension bank account to send money to FTX customers. The lawyer “was summarily terminated after expressing concerns about Alameda’s lack of corporate controls, capable leadership, and risk management.”

Entire departments and essential roles were either nonexistent or staffed by a skeleton crew of unqualified personnel. “Key executive functions, including those of Chief Financial Officer, Chief Risk Officer, Global Controller and Chief Internal Auditor, were missing at some or all critical entities,” they wrote. “Nor did the FTX Group have any dedicated financial risk, audit, or treasury departments.”

The degree to which accounting and financial records and reports were neglected at FTX is impossible to overstate. “Fifty-six entities within the FTX Group did not produce financial statements of any kind,” they wrote. “Thirty-five FTX Group entities used QuickBooks as their accounting system and 14 relied on a hodgepodge of Google documents, Slack communications, shared drives, and Excel spreadsheets and other non-enterprise solutions to manage their assets and liabilities.”

“QuickBooks is an accounting software package designed for small and mid-sized businesses, new businesses, and freelancers,” the report notes acidly. “QuickBooks was not designed to address the needs of a large and complex business like that of the FTX Group, which handled billions of dollars of securities, fiat currency, and cryptocurrency transactions across multiple continents and platforms.”

According to the report, accountancy at Alameda was even worse. “Alameda often had difficulty understanding what its positions were, let alone hedging or accounting for them,” they wrote. “For the vast majority of assets, Alameda’s recordkeeping was so poor that it is difficult to determine how positions were marked.” They cited a ‘Porfolio summary’ from June 2022 asking Alameda personnel to “come up with some numbers? idk.”

The report also removes plausible deniability from Bankman-Fried, who described Alameda as “hilariously beyond any threshold of any auditor being able to even get partially through an audit,” and described the hedge fund as “unauditable.”

“I don’t mean this in the sense of ‘a major accounting firm will have reservations about auditing it,’” Bankman-Fried wrote in an internal communication. “I mean this in the sense of ‘we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.’ We sometimes find $50m of assets lying around that we lost track of; such is life.”

Even when clients and other entities tried to give FTX money, the exchange often failed to properly receive it. “Thousands of deposit checks were collected from the FTX Group’s offices, some stale-dated for months, due to the failure of personnel to deposit checks in the ordinary course; instead, deposit checks collected like junk mail,” the report said.

Other sections of the report confirmed details of Alameda’s special privileges and exemptions from accounting and accountability. “On July 31, 2019—the same day Singh altered the codebase to allow Alameda to withdraw apparently unlimited amounts of crypto assets from FTX.com, and a week after he altered it to effectively exempt Alameda from auto-liquidation—Bankman-Fried claimed on Twitter that Alameda’s account was ‘just like everyone else’s’ and ‘Alameda’s incentive is just for FTX to do as well as possible,’” they wrote. “As recently as September 2022, in interviews with reporters, Bankman-Fried claimed that Alameda was a ‘wholly separate entity’ and Ellison claimed that Alameda was ‘arm’s-length and [did not] get any different treatment from other market makers.’”

The failures related to security were among the most egregious of the many cited in the report. “The Debtors identified extensive deficiencies in the FTX Group’s controls with respect to digital asset management, information security, and cybersecurity,” they wrote. “[T]he FTX Group grossly deprioritized and ignored cybersecurity controls, a remarkable fact given that, in essence, the FTX Group’s entire business—its assets, infrastructure, and intellectual property—consisted of computer code and technology.”

The report claimed that FTX “kept virtually all crypto assets in hot wallets, which are far more susceptible to hacking, theft, misappropriation, and inadvertent loss than cold wallets” because hot wallets remain connected and accessible from the internet. “Prudently-operated crypto exchanges keep the vast majority of crypto assets in cold wallets, which are not connected to the internet, and maintain in hot wallets only the limited amount necessary for daily operation, trading, and anticipated customer withdrawals.”

A litany of other severe security failures were noted in the report, including unencrypted keys to wallets containing hundreds of millions in digital assets stored in shared computers and network environments, the lack of enhanced authorization measures to access funds, and the sharing of one AWS cloud environment among FTX, FTX.US and Alameda, meaning any breach would compromise all three entities and all of their subsidiaries.

The report stated that the management team and their forensic accountants “continue to learn new information daily as their work progresses and expect to report additional findings in due course.”

An omnibus hearing for FTX before the Delaware bankruptcy court is scheduled for this Wednesday at 1:00 pm ET.