SNEAK PEEK
- FTX’s security practices were poor and disorganized.
- Private keys for billions in crypto assets were stored insecurely.
- Alameda lacked proper documentation for private keys, including a $600 million key.
Jameson Lopp, the co-founder and Chief Technical Officer (CTO) of Bitcoin security provider Casa, recently made a bold claim about FTX, a popular cryptocurrency exchange. Lopp suggested that even if FTX had been a lawful business operation, its inadequate security measures would have eventually resulted in losing users’ funds.
Even had FTX been a legitimate business operation, they would have eventually lost everyone’s money with these security practices. pic.twitter.com/R8L7Gx3DQK
— Jameson Lopp (@lopp) April 9, 2023
In response to his claim, Jameson Lopp took to Twitter to publish a pictorial of some of the crucial security measures FTX and its affiliates had ignored. Based on the visual aid, FTX Group’s computing environment had private keys and phrases for FTX.com, FTX.US, and Alameda stored in multiple locations in a disorderly manner.
Further, these storage methods were insecure and varied, and no consistent or documented process was in place to govern this practice, despite the well-known potential hazards. This is evident as debtors discovered private keys to over $100 million in Ethereum assets retained in plain text and without encryption on an FTX Group server, as depicted in the pictorial.
On the same accord, the image illustrated that private keys for billions of dollars worth of cryptocurrency assets were secured using a single-signature-based method and stored in AWS Secrets Manager and password vaults.
However, these tools were not specifically designed for secure key storage. As a result, any FTX Group employee with access to these tools could access the specific keys and transfer the corresponding assets without consent from others.
Similarly, Alameda did not have proper documentation for private keys, which included a key worth $600 million. According to the reports, the key was titled with four non-descriptive words and had no information about its purpose or relevant information. Other keys to millions of dollars in crypto assets were identified with titles like “use this” or “do not use” and lacked context.