FTX’s Sister Fund Lost $190 Million in Security Incidents
In a recent Twitter thread, former Alameda Research software engineer Aditya Baradwaj shared details about the security incidents faced by FTX’s sister fund, resulting in a loss of at least $190 million in trading funds. One major exploit involved an Alameda trader losing over $100 million after clicking on a malicious link for a DeFi app that appeared at the top of Google Search results.
Another incident highlighted by Baradwaj was Alameda’s involvement in yield farming on a questionable blockchain, leading to losses exceeding $40 million due to prolonged negotiations with the creator who held their funds hostage.
An old version of Alameda’s plaintext keys file was also leaked, allowing attackers to transfer funds and place bad orders, resulting in an additional loss of $50 million.
To address these incidents, the firm implemented extra checks on its internal wallet software, became more cautious about trading protocols, and migrated secret keys to a more secure storage system.
Alameda Prioritizes Speed Over Security
According to Baradwaj, Alameda focused heavily on speed, following the belief of FTX founder Sam Bankman-Fried. This approach often led the company to overlook industry-standard engineering and accounting practices. Code testing was minimal, and safety checks for trading were only added when necessary.
Baradwaj acknowledged that this tradeoff allowed for fast-paced development but resulted in major security incidents every few months.
Hot Take: Risk-Taking Comes at a Cost
The revelations from Baradwaj shed light on the risks taken by Alameda and FTX. Despite multiple security incidents, no significant changes were made to their operations. This risk-taking approach seemed to work for a while, but it eventually caught up with them.
It is crucial for crypto firms to prioritize both speed and security to avoid significant financial losses and reputational damage. Balancing these factors ensures sustainable growth and protection against malicious actors.
In yet another lengthy thread on X (formerly known as Twitter), former Alameda Research software engineer Aditya Baradwaj revealed how FTX’s sister fund grappled with multiple security incidents, ultimately losing at least $190 million in trading funds.
One of the most significant exploits detailed by Baradwaj reportedly involved a trader at Alameda losing more than $100 million of the firm’s funds. The incident unfolded when the trader clicked on a malicious link for a DeFi app that had been promoted to the top of Google Search results.
Decrypt reached out to Baradwaj for additional comments and will update the article should we hear back.
Another example cited by Baradwaj revolved around Alameda’s involvement in yield farming on a blockchain of “questionable legitimacy.” This venture resulted in losses exceeding $40 million, as “the creator ended up holding our funds hostage, and we had months of prolonged negotiations.”
Incident #1:
An Alameda trader got phished while trying to complete a DeFi transaction by accidentally clicking a fake link that had been promoted to the top of Google Search results
Cost: $100M+
Postmortem: Implemented extra checks on our internal wallet software
— Adi (e/acc) (@aditya_baradwaj) October 11, 2023
Yet another incident reportedly saw an old version of Alameda’s plaintext keys file leaked, supposedly by a former employee, according to Baradwaj. It resulted in the attacker transferring funds out of some exchanges and placing bad orders, with Alameda losing another $50 million.
“These are just a few incidents—there’s many more, including from before my time at the company,” said Baradwaj.
Responding to the above incidents, the firm simply implemented extra checks on its internal wallet software, decided to be more careful about which protocols it was trading on, or migrated secret keys to a more secure storage system.
“Was the tradeoff worth it?” asked Baradwaj. “Sam certainly seemed to think so. Even after all these incidents, no serious attempt was made to change the way we operated. It’s the kind of risk-taking that seems to work… until it doesn’t.”
Alamada Pushes Speed Over Security
According to the former Alameda employee, the trading firm put substantial focus on prioritizing speed, a belief held by FTX founder Sam Bankman-Fried.
This approach often led the company to overlook industry-standard engineering and accounting practices.
This meant virtually no code testing and incomplete balance accounting
Safety checks for trading would only be added on an as-needed basis
Blockchain private keys and exchange API keys were stored in plaintext in a file that several employees could access
— Adi (e/acc) (@aditya_baradwaj) October 11, 2023
Code testing, according to Baradwaj, was virtually nonexistent, and safety checks for trading were implemented only when deemed necessary.
“These decisions allowed us to move at breathtaking speed. Developer velocity that would make any Silicon Valley software engineer shed tears of joy,” wrote Baradwaj. “However the flip side of this tradeoff was that we’d have a major security incident once every few months.”
Baradwaj’s remarks come as former Alameda CEO Caroline Ellison took the stand to provide testimony against Bankman-Fried on the sixth day of his fraud trial in New York.
She shed more light on the firm’s relations with FTX, including former co-CEO of Alameda tapping Thai sex workers in a bid to reclaim $1 billion worth of funds frozen by the Chinese government.
Hot Take: Balancing Speed and Security is Crucial for Crypto Firms
The recent revelations about the security incidents at Alameda and FTX highlight the importance of finding a balance between speed and security in the crypto industry.
While prioritizing speed can lead to rapid development and growth, it should not come at the expense of robust security measures. Neglecting industry-standard practices and code testing can expose firms to significant financial losses and compromise user trust.
Crypto firms must invest in comprehensive security protocols, regularly test their systems, and prioritize the protection of user funds. By doing so, they can ensure sustainable growth while mitigating risks associated with cyber attacks and vulnerabilities.
By
By
By
By