WingNews logo WingNews GitHub [2]
top | item 34372508

Sam Bankman-Fried's secret 'backdoor' discovered, FTX lawyer says

156 points| pseudolus | 3 years ago |businessinsider.com | reply

110 comments

order
[+] bearjaws|3 years ago|reply
Reminds me back at a certain large travel website I worked at, someone left the debug promo codes enabled in prod...

Eventually someone found the "5000off" code, and posted it to Slickdeals.

We had alarms for bookings that lost us money (especially with bundled flights), so it was found relatively quickly, but around 30 people had used it already...

Except SBF was just massive fraud, not a whoopsie doopsie.

[+] lifefeed|3 years ago|reply
At a certain shoe online retailer I worked at, we had a hard limit on the maximum discount, and it was built into the code. Not configurable, and not overridable. There were a lot of problems with that codebase, and some of those problems probably led to that particular solution, but I liked it.
[+] contingencies|3 years ago|reply
For codebases with deployment modes, best practice may be to have a test process defined in your CI/CD to run when you spin-up prod that verifies all non-prod features are fully disabled.
[+] Eduard|3 years ago|reply
What would the "5000off" promo code do? Provide a discount by 5000 gazillion percent?
[+] digianarchist|3 years ago|reply
How did they find the code? Brute force?
[+] tsimionescu|3 years ago|reply
Interestingly, while some are quoting a "single line of code", the article is actually using some even stranger information:

> "Mr. Wang created this back door by inserting a single number into millions of lines of code [emphasis mine] for the exchange, creating a line of credit from FTX to Alameda, to which customers did not consent," [FTX lawyer Andrew Dietderich] added. "And we know the size of that line of credit. It was $65 billion."

[+] Centigonal|3 years ago|reply
$65B seems oddly specific - could it be that they just set the liquidation limit for Alameda's account to 65,535 (max 16bit unsigned int), in millions of dollars?
[+] beau_g|3 years ago|reply
It must have been an existing boolean flag he set to true, allowSecret65BillionDollarBackdoor
[+] beaned|3 years ago|reply
Maybe some specific accounts were hard-coded to have credit lines of certain amounts, and they just changed the one for Alameda from 0 (or whatever) to 65 billion.

Not uncommon for a startup to hack features into code directly before there's a db column and frontend to support updating values through an admin interface.

[+] conanbatt|3 years ago|reply
> inserting a single number into millions of lines of code

So basically a clean npm install.

[+] faangiq|3 years ago|reply
Absolutely lulzy to think of cranking out millionssss of lines of code in the ~2 years FTX existed.
[+] makestuff|3 years ago|reply
Impressive that it was a one line code change to allow a 65b credit line. This is some office space level stuff.
[+] hodder|3 years ago|reply
I'm guessing this "single line of code" called a function which was 9000 lines.

Regardless this is pretty damning smoking gun information if true. "uh-oh, sphaghettio"s becomes a pretty tough legal defense.

[+] jrockway|3 years ago|reply
> "uh-oh, sphaghettio"s becomes a pretty tough legal defense.

I guess if a jury is involved you don't need a legal defense, you just need to confuse the jury to the point where they can't agree on the facts. "uh-oh spaghettios" has probably worked at least once, especially if computers are involved.

[+] ineedasername|3 years ago|reply
Doesn't look like it: I mean sure, the entire system was many LOC, but in this case it appears accounts had automatic limits set as variables that could be overridden.
[+] michaelbuckbee|3 years ago|reply
def credit_limit(customer_name) return 65,000,000,000 if customer_name == "Alameda"

    # process normally
end
[+] awestley|3 years ago|reply
Maybe he saw Office Space one too many times.
[+] layer8|3 years ago|reply
The article says “single number”, not “single line of code”.
[+] korroziya|3 years ago|reply
I don't see it mentioned in the article but is SBF still doing the "dumb blonde" act as though this were all an unintended accident or have his lawyers gotten him to tighten his lip?
[+] mcast|3 years ago|reply
You would think if you were raised by Stanford law professors, you would know the importance of staying silent and not incriminating yourself (especially on record). But I guess SBF has a superiority complex and thinks he can evade punishment if he can manipulate the right people.
[+] voganmother42|3 years ago|reply
“Dumb blonde” is not useful and such a silly stretch…I don’t think this was a good choice for a description of his actions and weakens the potential impact of your comment considerably.
[+] LatteLazy|3 years ago|reply
Fiddling your own accounting system is not really a "back door". It's just lying.

So far that sums up this whole fraud: it's just bare faced stealing, there is no complexity or master plan...

[+] Animats|3 years ago|reply
Yes. It's surprising how dumb this whole scam was. Had nothing to do with cryptocurrency technology. It was straight theft of customer assets. Then they lost the money they stole. Probably because they were trying to double-down and win back previous trading losses.

Most crypto scams are better run than this. They get people to buy some crap asset, take a slice of the profits, the asset tanks, and the promoters keep their cut. Axie Infinity and Yuga Labs come to mind.

[+] ineedasername|3 years ago|reply
It seems insane that they'd let the limit be that high ($65B) but it's really quite reasonable when you look at it from the POV of already performing fraudulent activities. Once you're in the $100M-$500M range of theft, do you really care, does it really register morally/ethically (to the thief), if you bump that up to $65B?
[+] aaroninsf|3 years ago|reply
Guess: it's a number in a database field not "code"... :P
[+] wahnfrieden|3 years ago|reply
“I wanted to get rich not because I loved money, but because I wanted to donate it to charity.” - SBF, notable EA
[+] dclusin|3 years ago|reply
Have they punished the total number of customer deposits? They keep saying they found $x billion in assets. But no mention of the liabilities or the delta between the two.
[+] PedroBatista|3 years ago|reply
If this is true like the lawyer says, then it's the end of the line for our Sammy..

I don't see how he can pull some miracle to avoid less than 40 years.

[+] chrisbrandow|3 years ago|reply
I want to know what the “single line of code” was
[+] robswc|3 years ago|reply
if user == 'SBF'; model = TestModelDoNotUse

But seriously, I would love to know too. It really could be as simple as allowing a certain account "unlimited" credit, as the article suggests. I only have reservations since it seems like a bit of a game of telephone and sometimes journalists go for the sensational vs simple.

[+] oliwary|3 years ago|reply
UPDATE accounts SET creditLimit = 65000000000 WHERE accountHolder = "alameda"
[+] programmarchy|3 years ago|reply
`if (account["user_id"] === session.user.id || session.user.username === "sbf") {`
[+] warinukraine|3 years ago|reply
An if that bypasses the check of whether to issue a margin call if your userid is that of Alameda's. Obviously.
[+] ornornor|3 years ago|reply
Aside: that has to be one of the most confusing and dark patterny cookie consent pop up I’ve seen in a while.
[+] nieve|3 years ago|reply
Perhaps that one number was a blockchain address or account number?
[+] miga|3 years ago|reply
SBF may have made mistakes or even committed fraud, but it is concerning that bankruptcy attorney does not seem to focus on recovering the value of the assets.

If FTX US was liquid, this action has brought down another company...

[+] stdbrouw|3 years ago|reply
I thought Matt Levine's take in Wednesday's Money Stuff was insightful:

> If you go around talking up the value of the FTX’s business and its tokens, you might be able to talk someone into paying a lot of money for them; maybe not now but perhaps in November. If you go around talking down the value of FTX — if you make statements about how poorly it was run and how much fraud it did — then that value will tend to zero, and you won’t be able to sell it.

> At some level Bankman-Fried is surely right that if he had remained CEO of FTX, instead of stepping down and being replaced by Ray, he would have had a better chance — though still quite slim — of selling FTX’s business and tokens for more money, and thus raising more money for FTX’s customers. If you want to sell that business, you have to say that it’s good.

> It’s just that, you know, if FTX was a fraud, he would have been getting that money for customers by doing more fraud? Like if Ray is right that FTX was a fraudulent mess, then he shouldn’t be trying to sell it to investors for a lot of money, since that would itself be fraud.

[+] function_seven|3 years ago|reply
I assume they’re being honest about the value of the company. They’re not “lowering” it. The company is worth whatever a potential buyer is willing to pay for it. And whatever that number is, I can’t imagine it’s meaningfully different from “$0”.

I’m talking about the brand and the technology, not the assets that need to be distributed to creditors.

The alternative here is if the lawyers found the back door, and decided to keep it secret. That’s not ethical IMO.

[+] matt3210|3 years ago|reply
if a secret back door is not fraud I don't know what is