Tuesday, April 25, 2023

Poor Security at FTX

Stacy Elliott:

[John Ray III] wrote in Sunday’s court filing that FTX “kept virtually all crypto assets in hot wallets.” To underline his point, Ray mentioned the unauthorized transactions that drained $432 million worth of funds from the company’s wallets the day after it filed for bankruptcy on November 11.

[…]

Hot wallets are connected to the internet and therefore susceptible to being compromised by a bad actor. A cold wallet is not connected to the internet and, for that reason, better protected from bad actors.

Ray said keeping the majority of funds in hot wallets and the private keys of those wallets in AWS was an especially bad way to manage risk.

Molly White (via Hacker News):

Debtors give multiple examples of irresponsible key storage. Keys to >$100M stored in unencrypted plaintext, for example, or in tools unsuitable for the job. Keys were often accessible by many employees with no auditing. Keys were poorly labeled, with names like “use this”.

[…]

“Passwords for encrypting the private keys of wallet nodes were stored in plain text, committed to the code repository (where they could be viewed by many and were vulnerable to compromise), and reused across different wallet nodes”

[…]

“Over a dozen people had direct or indirect access to the FTX​.com and FTX​.US central omnibus wallets, which held billions of dollars in crypto assets”

Comments RSS · Twitter · Mastodon

Leave a Comment