FTX: important lessons about security practices in the crypto industry
The initial report from the liquidators of FTX has been published, and as expected, it makes for uncomfortable reading. From lack of oversight and governance to mismanaged millions, the actions of the FTX leadership team were negligent and fraudulent, with CEO Sam Bankman-Fried allegedly using his customers’ money as his own to make private investments.
FTX’s demise caused chaos in the crypto market, with coin values plummeting and the overall market value falling well below its previous $1 trillion valuation. The exchange filed for bankruptcy on November 11th, 2022, and in the US, non-fiat customer withdrawals were frozen on November 8th. Interestingly, the exchange claimed they were hacked on the same day it filed for bankruptcy, and $600 million was taken. Since then, a criminal investigation has been underway, seeing Bankman-Fried and other FTX executives charged with various fraud-related offences.
The report was damning, clearly highlighting the deficiencies in digital asset management controls and lack of security in place. It said that customer crypto funds were at significant risk of “loss, risk and compromise”, a risk that was realised during the November 2022 hack.
What FTX could have done to protect its customers’ digital assets
FTX’s security processes were severely lacking when protecting its customer funds. Industry-standard security protocols were ignored, and there was an evident and complete lack of dedicated cybersecurity experts to manage associated risks. Let’s look at FTXs security failings and what they could have done to protect customer funds.
Employ a dedicated security team
Unbelievably for one of the largest crypto trading exchanges in the world, FTX didn’t have a dedicated security team. Approximately US$2.4 billion has been hacked through exchanges since 2011, and cyber criminals introduce new threats almost daily. A dedicated security team would conduct a risk assessment to identify security threats, put controls in place to mitigate risks and implement continuous monitoring to identify new threats.
Install infrastructure controls and security policies
FTX’s paid dearly for its lack of focus on protecting its customers’ funds. Putting in place secure software development practices protects customers from security vulnerabilities and data breaches and ensures businesses comply with regulations, for example, the General Data Protection Regulations. Infrastructure controls and policies form the backbone of an organisation’s business continuity plan, reducing any disruption security incidents may cause. Finally, they can save a business money and protect its reputation by preventing incidents and showing investors they are serious about safeguarding investments.
Cold storage protocols
Another security failing for FTX was not following industry best practices for storing funds, keeping most if not all of their digital assets in online hot wallets, leaving them vulnerable to theft and hacking. If they had held their customers’ cryptocurrencies offline (cold storage), they would have reduced the risk of them being stolen, as it is extremely difficult to hack a cold wallet.
We recently saw where this kind of storage protocols can directly benefit the end consumer. The Japanese regulator – the Financial Services Agency (FSA), has rules in place to ensure exchanges store private keys offline, use two-factor authentication and monitor transactions. Storing their keys offline meant FTX Japan could return customers’ assets after the collapse. This was an important industry development in an otherwise negative situation, clearly demonstrating how regulation could have a positive impact on the wider crypto market.
Implement solid controls for private keys storage and management
FTX had control of its customers' private keys. Similar to a password, a private key is a secure code that allows people to access their crypto wallets, make transactions and prove ownership of their assets. They should be stored securely offline to reduce the risk of someone hacking a wallet and the funds held in it being stolen. According to the initial audit report, FTX stored most of their wallets online in "over one thousand [AWS] servers and related system architecture."
Storing private keys offline in cold storage means they are only brought online when you need to make a transaction, drastically reducing the opportunity to steal them. However, if private keys are lost, so is access to your funds. Taking a backup of your keys will mitigate this risk, and for organisations storing large amounts of cryptocurrency, storing that backup with a trusted third party introduces an extra layer of security.
Manage transaction approvals
One of the controls in place to protect digital assets from internal collusion and bad actors is having more than one person approve transactions. There are two widely used methods of doing this:
Multi-party computation (MPC), where multiple parties are needed to authorise transactions. Each party holds part of a private key stored on different devices, and the other parties can’t see them.
Multi-signature (MultiSig), where the digital wallet operates with multi-signature addresses. As an additional layer of security, more than one key is needed to authorise transactions. In some cases, several different keys are required to generate a signature for a transaction.
FTX didn’t have these controls, increasing the opportunities for fraud, theft, and human error.
Conduct external audits
If FTX had instructed an external party to conduct a security audit on their controls and policies, they would have identified security risks and mitigated any loopholes. This would also have helped improve their security posture by identifying areas needing improvement.
Although the crypto industry is not fully regulated, an audit would also have ensured FTX complied with current regulations. Internally, an audit would have raised awareness of security practices and advised on what security training would be appropriate for different employee roles.
The collapse of FTX had a massive negative impact on the cryptocurrency market. Investor confidence has plummeted, and regulators have increased scrutiny of the industry. Restoring trust will take time but will ultimately lead to a safer investment environment as crypto service providers improve their security controls. Contact us today if you’d like to talk to someone about improving your organisation’s security.