Alameda Research lost $190M to Scams
Former Alameda Research engineer turned whistleblower reveals security lapses and missteps that led to significant financial losses for the firm.
On October 12, Aditya Baradwaj, a former engineer at Alameda Research, turned whistleblower, revealing a series of security lapses and missteps that led to significant financial losses for the firm. Baradwaj's disclosures painted a picture of a company whose rapid pace occasionally bypassed essential security measures, leading to "major security incidents" every few months.
One of the most significant losses originated from a seemingly innocuous action: a click on a malicious link. An Alameda trader, while attempting to finalize a DeFi transaction, mistakenly clicked on a fake link that had been prominently displayed on Google Search results. This error resulted in a loss exceeding $100 million. Following this incident, Alameda implemented additional checks on their internal wallet software to prevent similar mishaps.
Incident #1:
An Alameda trader got phished while trying to complete a DeFi transaction by accidentally clicking a fake link that had been promoted to the top of Google Search results
Cost: $100M+
Postmortem: Implemented extra checks on our internal wallet software — Adi (e/acc) (@aditya_baradwaj) October 11, 2023
Baradwaj also highlighted another incident where Alameda ventured into yield farming on a new blockchain, which he described as of "questionable legitimacy." This decision eventually led to the firm incurring losses surpassing $40 million.
FTX founder, Sam Bankman-Fried, has always highlighted the importance of agility for both Alameda and FTX. However, Baradwaj suggests that this emphasis on speed often came at the expense of industry-standard engineering and accounting practices. He noted that the firm often bypassed code testing and had incomplete balance accounting.
“This meant virtually no code testing and incomplete balance accounting. Safety checks for trading would only be added on an as-needed basis.”
He also said that the blockchain private keys and exchange API keys were stored in plaintext, accessible to multiple employees. This careless security measure led to another incident where an old version of the plaintext files containing keys to Alameda's wallets was leaked, resulting in losses exceeding $50 million.
Incident #3:
An old version of our plaintext keys file was leaked, likely by a former employee. The attacker transferred funds out of some exchanges and placed bad orders
Cost: $50M+
Postmortem: Migrated our secret keys to a more secure storage system — Adi (e/acc) (@aditya_baradwaj) October 11, 2023
While Baradwaj detailed several incidents, he also mentioned that many more occurred before his time with the company. He alluded to other significant events, such as the MobileCoin incident, which became a significant point of contention during a trial.
Baradwaj's remarks coincide with former Alameda CEO Caroline Ellison taking the witness stand during the sixth day of Bankman-Fried's fraud trial. In previous days, several former colleagues, including Adam Yedidia and Gary Wang, have presented substantial new evidence against the former billionaire.
Wang has acknowledged developing specific code that enabled Alameda to engage in extensive trading with a significant line of credit from FTX, while Caroline Ellison has provided intricate insights into the alleged mingling of funds between FTX and Alameda.
Bankman-Fried has entered a plea of not guilty to the charges he faces and maintains his innocence throughout the ongoing trial.
