News

Alameda Trader Phished for $100 Million After Clicking Malicious Google Link, Says Ex-Engineer

Investors Lost $686 Million Last Quarter to Hacks, Fraud: Immunefi

In yet another lengthy thread on X (formerly known as Twitter), former Alameda Research software engineer Aditya Baradwaj revealed how FTX’s sister fund grappled with multiple security incidents, ultimately losing at least $190 million in trading funds.

One of the most significant exploits detailed by Baradwaj reportedly involved a trader at Alameda losing more than $100 million of the firm’s funds.

The incident unfolded when the trader clicked on a malicious link for a DeFi app that had been promoted to the top of Google Search results.

Decrypt reached out to Baradwaj for additional comments and will update the article should we hear back.

Another example cited by Baradwaj revolved around Alameda’s involvement in yield farming on a blockchain of “questionable legitimacy.” This venture resulted in losses exceeding $40 million, as “the creator ended up holding our funds hostage, and we had months of prolonged negotiations.”

Incident #1:

An Alameda trader got phished while trying to complete a DeFi transaction by accidentally clicking a fake link that had been promoted to the top of Google Search results

Cost: $100M+

Postmortem: Implemented extra checks on our internal wallet software

— Adi (e/acc) (@aditya_baradwaj) October 11, 2023

Yet another incident reportedly saw an old version of Alameda’s plaintext keys file leaked, supposedly by a former employee, according to Baradwaj. It resulted in the attacker transferring funds out of some exchanges and placing bad orders, with Alameda losing another $50 million.

“These are just a few incidents—there’s many more, including from before my time at the company,” said Baradwaj.

Responding to the above incidents, the firm simply implemented extra checks on its internal wallet software, decided to be more careful about which protocols it was trading on, or migrated secret keys to a more secure storage system.

“Was the tradeoff worth it?” asked Baradwaj. “Sam certainly seemed to think so. Even after all these incidents, no serious attempt was made to change the way we operated. It’s the kind of risk-taking that seems to work… until it doesn’t.”

Alamada pushes speed over security

According to the former Alameda employee, the trading firm put substantial focus on prioritizing speed, a belief held by FTX founder Sam Bankman-Fried.

This approach often led the company to overlook industry-standard engineering and accounting practices.

This meant virtually no code testing and incomplete balance accounting

Safety checks for trading would only be added on an as-needed basis

Blockchain private keys and exchange API keys were stored in plaintext in a file that several employees could access

— Adi (e/acc) (@aditya_baradwaj) October 11, 2023

Code testing, according to Baradwaj, was virtually nonexistent, and safety checks for trading were implemented only when deemed necessary.

“These decisions allowed us to move at breathtaking speed. Developer velocity that would make any Silicon Valley software engineer shed tears of joy,” wrote Baradwaj. “However the flip side of this tradeoff was that we’d have a major security incident once every few months.”

Baradwaj’s remarks come as former Alameda CEO Caroline Ellison took the stand to provide testimony against Bankman-Fried on the sixth day of his fraud trial in New York.

She shed more light on the firm’s relations with FTX, including former co-CEO of Alameda tapping Thai sex workers in a bid to reclaim $1 billion worth of funds frozen by the Chinese government.

Stay on top of crypto news, get daily updates in your inbox.





Source: https://decrypt.co/201192/alameda-trader-phished-for-100-million-after-clicking-malicious-google-link-says-ex-engineer

Leave a Reply

Your email address will not be published. Required fields are marked *