Nothing against Amazon Web Services. Very nice tool, but it’s not for a multibillion dollar company’s private keys—or anyone’s private keys, really.
He didn’t write it that way in the interim report he filed yesterday, but it’s not hard to imagine FTX CEO John Ray III, who’s overseeing the company’s Chapter 11 bankruptcy restructuring, chastising its use of AWS the same way he did its use of QuickBooks for accounting.
“Nothing against QuickBooks. Very nice tool,” Ray said while testifying before the House Financial Services Committee in December. “It’s not for a multibillion dollar company.”
Instead, he wrote in Sunday’s court filing that FTX “kept virtually all crypto assets in hot wallets.” To underline his point, Ray mentioned the unauthorized transactions that drained $432 million worth of funds from the company’s wallets the day after it filed for bankruptcy on November 11.
Disgraced FTX founder Sam Bankman-Fried grew his crypto empire into a behemoth. But in November 2022 it all came crashing down amid revelations that his trading desk, Alameda Research, held billions of FTX Token (FTT) on its balance sheet and allegations that the companies had been commingling user funds with its own. Now Bankman-Fried faces 13 criminal charges and the FTX Group has spent the past five months trying to recoup customer funds.
Ray, who also oversaw the liquidation of Enron, previously said he believes the collapse of FTX was caused by “a very small group of grossly inexperienced and unsophisticated individuals.” Today’s revelations over how the company handled its crypto wallets appears to lend credence to those comments.
Crypto wallets use a linked set of public and private keys to authorize transactions. A public key can be thought of as an identifier, usually a 64-character string. It shows up in the “from” or “to” fields on network explorers like Etherscan. Everyone can see a wallet’s public key and its contents, but only a user with the corresponding private key can access the funds or authorize transactions.
Wallets themselves fall into two main categories: Hot and cold. Hot wallets are connected to the internet and therefore susceptible to being compromised by a bad actor. A cold wallet is not connected to the internet and, for that reason, better protected from bad actors.
Ray said keeping the majority of funds in hot wallets and the private keys of those wallets in AWS was an especially bad way to manage risk.
Neither Amazon Web Services nor its cloud computing competitors are impermeable. Since 2017, AWS has seen a handful of large scale breaches that exposed data belonging to hundreds of millions of voters, Instagram users, bank customers, shoppers, travelers, and people who visited COVID-19 testing sites, according to data breach tracker Firewall Times.
“The FTX group undoubtedly recognized how a prudent crypto exchange should operate, because when asked by third parties to describe the extent to which it used cold storage, it lied,” Ray wrote in the report. He quoted a 2019 tweet sent by founder and ex-CEO Bankman-Fried and a 2022 company response to advisers and counterparties.
Both messages claimed that FTX used a combination of hot wallets and cold wallets.
Instead, Ray wrote that “they did not use offline, air-gapped, encrypted, and geographically distributed laptops to secure crypto assets.” He also mentioned messages from someone affiliated with LedgerX, a derivatives exchange owned by FTX Group, but not part of the bankruptcy proceedings, recommending that FTX.US make better use of cold wallet storage.
But Ray wrote that “no such system was put in place prior to the bankruptcy.”