> Only Singh, Bankman-Fried and a few other top FTX and Alameda executives knew about the exemption in the code, according to three former executives briefed on the matter. A digital dashboard used by staff to track FTX customer assets and liabilities was programmed so it would not take into account that Alameda had withdrawn the client funds, according to two of the people and a screenshot of the portal that Reuters has previously reported.
If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
Singh will definitely get prison time as well, though I'm sure all the higher-ups in FTX are trying to point fingers to get deals. In the Madoff scandal, 2 of Madoff's programmers were sentenced to 2 1/2 years each. In this case, Singh has much more culpability as a higher-up (not to mention a pre-collapse billionaire).
> If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
Not quite the same level, but in my early days working on a payment system, a request from the product team was to create a summary screen where customer service reps could see payment histories AND THE CC INFORMATION USED FOR THE PAYMENTS. In my mind, there was no way that would end well, so I strenuously objected and had to endure some very heated conversations over the course of a month or two. Eventually product team agreed to last 4 digits + expiration.
Nowadays it wouldn't even be a conversation, but in the early 2000's, it was a different world.
My first job out of college (2007) involved a lot of removal of early 2000s one-off custom payment processing code. Access DBs full of years worth of credit card numbers, code that just emailed the credit card details to the site owner without keeping a record, etc. It was definitely a different world. Most of them, I just switched to PayPal shopping cart and checkout. In retrospect, I didn't know wtf I was doing and probably shouldn't have been working on it.
Yeah, I worked for an agency around the same sort of time and saw exactly the same kind of thing.
I remember one site that saved all the CC and order details to a plain text file in the web root. This was opened using an FTP programme every evening and someone would run the numbers through the machine in their store and post out the orders...
Sure, there's always room for improvement, but at the very least SSL/TLS is ubiquitous now, there actual TLS versions are much better, developers generally view holding onto CC data directly as toxic (the growth of things like Stripe checkout, etc.)
We wouldn't think of doing it. This is the kind of thing your auditors would see from outer space. If you're doing this and you don't have auditors, you're lying on your self-assessment questionnaire. Either way your merchant status is in jeopardy.
Remember Alamada wasn’t a normal customer. It was acting as a market maker/counterparty of last resort to many other FTX customers. In that case there could be situations where ‘normal customer liquidation rules’ shouldn’t apply - it can go in the red temporarily to enable others to trade (and FTX to make commission).
From the facts in the article (which are obviously not complete) if I was Singh my defence would be I assumed/was told the changes were to support Alamadas role as market maker and their actual long term exposure was being monitored elsewhere.
> Remember Alamada wasn’t a normal customer. It was acting as a market maker/counterparty of last resort to many other FTX customers. In that case there could be situations where ‘normal customer liquidation rules’ shouldn’t apply
This might be a reasonable argument in a vacuum, except that:
> [SBF] told investors and prospective investors that FTX had top-notch, sophisticated automated risk measures in place to protect customer assets, that those assets were safe and secure, and that Alameda was just another platform customer with no special privileges. [emphasis added]
And also:
> Bankman-Fried also told investors, and directed other FTX and Alameda
employees to tell investors, that Alameda received no preferential treatment from FTX. For example, Bankman-Fried told the Wall Street Journal in or around July 2022: “There are no parties that have privileged access.” Likewise, in a Bloomberg article published in or about September 2022, Bankman-Fried claimed that “Alameda is a wholly separate entity” than FTX. In the same article, Ellison is quoted as stating about Alameda: “We’re at arm’s length and don’t
get any different treatment from other market makers.” Bankman-Fried made similar statements directly to investors. [emphasis added]
(The above are direct quotes from the SEC complaint [1] against SBF.)
Singh might argue that he wasn't aware of the private statements to investors. But the WSJ and Bloomberg stories show the "arm's length" claim was something they consistently messaged to the public at the highest levels. To argue that Alameda's role as market maker of last resort justified a privileged status would be inconsistent with all their prior public claims to the contrary. "We lied to the public repeatedly about our risk management" isn't a defense; it's a confession.
It’s potentially a defense for the engineer though, if he had nothing to do with the advertising. Of course it’s all just idle speculation; the real interesting stuff will come out in the trial, years upon years from now.
Should an engineer be tracking what their company is telling media outlets? No one else is tasked with looking at my code except other engineers; why should engineers spend their precious time making sure that other business units are performing their duties ethically?
> Engineers are of course partly responsible for the things they implement.
That is outrageous. The company owners have limited liability protections. The employees should receive at least that unless they are in a position that requires specific legal training like an engineer legislatively appointed to be responsible for some safety function. Where they are appointed and remunerated specifically for their legal responsibility, in other words.
And the court cases after WWII are hardly reliable precedent. They were basically making it up as they went with fairly flimsy justification apart from the fact they had a bunch of troops still in fighting form.
Limited liability protects against financial loss, not criminal indictment. If you are an employee or owner and you do something to enable fraud the company as a whole is doing, you are still criminally liable.
> Limited liability is a legal status in which a person's financial liability is limited to a fixed sum, most commonly the value of a person's investment in a corporation, company or partnership.
Engineers are responsible for strictly technical failures. When a piece of software does what a representative of company management asks for it hasn't failed.
Software engineers are not lawyers and they are bad at interpreting laws.
> Software engineers are not lawyers and they are bad at interpreting laws.
Right, so if something seems sketchy ("please ignore these specific deductions when calculating our holdings") , get a lawyer - or CEO or CFO or whatever - to say in writing that it's fine.
And if something seems actually illegal ("just run the blood test results out-of-spec and report them anyway") just don't do it. Nothing absolves you of some things.
Sure. But if the engineer doesn't think it is sketchy enough to seek out a lawyer, why would they suddenly be liable for issues where they are obviously ignorant, and never expected to be competent?
I’ve received yearly training as part of my job outlining my civil and criminal liabilities as a software engineer going back 20 years. It’s par for the course in finance.
The tautological answer is that it's because we the people have made laws that in certain specific situations make people criminally responsible for how the product of their labor is being used.
The practical answer is that it's because we do want to discourage criminals from "splitting liability" by having most of a gang doing some illegal goal together stay "clean" and only delegating a single "fall guy" for the final touch; so criminal law is explicitly written to consider everyone who knowingly assists a crime to be partly liable as well.
Engineer doesn't imply honesty. In those jurisdiction where it's a protected title, it just implies that you have some mix of STEM topics in your degree. Software engineers, in these jurisdictions, have that mix, and are as real as bioengineers (a.k.a hospital lab workers), chemical process engineers, construction engineers, etc.
No one has had their engineer title taken away for being a crook, as far as I know. Unless the crooked thing they did was fake their diploma.
It doesn't imply honesty. It does imply liability, so if something bad happens because you're dishonest, you will lose the title, and suffer other consequences.
> No one has had their engineer title taken away for being a crook, as far as I know
This seems an absurd claim, unless you're going to get very pedantic about some distinction between "engineer title" and "legal right to function as an engineer".
This is one example found after just a few seconds of searching, but it is absolutely commonplace to have your engineering license revoked for carrying out criminal activity.
> In those jurisdiction where it's a protected title, it just implies that you have some mix of STEM topics in your degree.
This seems a bizarre claim too. In jurisdictions where membership of a professional licensing body is necessary in order to refer to oneself as an engineer and practice as an engineer, it is absolutely not the case that all you need is the right "mix of STEM topics in your degree". It means you have a certain degree, have completed a set amount of work experience, have completed a professional certification exam and then maintain that license, which may require meeting other requirements periodically. And yes, "not being a crook" is certainly one of those requirements, and being involved in major criminal activity, especially criminal activity related to your professional practice, is absolutely grounds for having your license and certification as an engineer revoked.
Why not? Why do we keep Apple responsible for Foxconn's labor practices? Isn't Foxconn an independent company after all? The reason is because we don't want evil to spread by externalizing the responsibility to third parties.
Most things are ambiguous, so you can have an argument about what intent was. Even things like firearms, you can say, "well, I made this gun so people can use it in self defense".
This seems pretty unambiguous though. Sometimes you're just facilitating breaking the law, or making things dangerously unsafe.
> When individuals are responsible for the theft, loss, or unauthorized disclosure of PHI, the most common consequence is the loss of employment. However, in the most serious HIPAA violations, criminal charges can be filed against the individual(s) responsible.
Yep.
"comprehensive knowledge of their companies media output" is an interesting way to put it. I would really just recommend engineers maintain some sense of self awareness.
Singh was the chief engineer for a major exchange. It's his job to know better than this.
If the chief engineer for NASDAQ put in a backdoor to allow a market maker unlimited margin, would you assume they just figured it was legit because someone said so?
He knows how markets work too well for a defense like that.
I never understood why Alameda took risky bets when it could just make a bunch of cash off buy/ask spreads assuming trading volume was decent. Running the exchange they can front run any large trades and move the market.
Crypto is flooded with liquidity so market making is like selling ice to an eskimo.
These days a naive market making strategy in crypto just incinerates capital very reliably as the tiny bid ask spread is a small fraction of the adverse selection risk (whole spread moving past). They did probably make money on this in the early days and got smoked when the sophisticated tradfi players joined.
Front running large trades by looking at non public info on the order book is possible but this is also fraud, so not a strategy to avoid legal troubles, and it also only works if the large traders are naive and not adversarial (putting fake large orders to front run you etc).
What SBF could have done is close down Alameda when it was clear they were not competitive, and concentrate on growing the exchange by reinvesting the fees, but that would have clipped the growth and donations/acquisitions lifestyle to something much less flamboyant.
> Crypto is flooded with liquidity so market making is like selling ice to an eskimo.
This is not true at all, in general quoting in these markets is absurdly capital-intensive compared to tradfi.
> These days a naive market making strategy in crypto just incinerates capital very reliably as the tiny bid ask spread is a small fraction of the adverse selection risk (whole spread moving past). They did probably make money on this in the early days and got smoked when the sophisticated tradfi players joined.
Are the sophisticated tradfi players here yet? Seems like no?
Great! I'm just continually surprised, because my firm is 4 people with a combined 1.5 years of very outdated tradfi experience and these markets are very good to us.
For example, it's surprising that big tradfi players were not able to prevent take-only basis arb bots written in Python running on a un-tuned VPS from printing five figures on individual new listings in mid 2021, or permitted us to click trade tokenized stock quarterly futures minutes from expiry for nearly guaranteed profit also in mid 2021.
Some examples of hidden information that doesn't generally get disseminated in exchange orderbook APIs:
* Attribution: who's making the order?
* Short labelling... are they selling or shorting?
* Non-display or iceberg orders (not common in crypto?)
* Immediate-or-cancel orders... the executions hit the feed, but not the original order details. Also whiffs (order but no fill) don't get disseminated in any way.
* Certain order types that may rest on the exchanges order book but either don't have a specific price or display doesn't make sense... market orders, midpoint orders, pegged orders, auction order books (less common in crypto)
EDIT: On the attribution side -- they could also know the leverage any customer is taking and use that adversarially (which was the straw that broke their camel).
Thanks, yeah attribution is an interesting one. You usually have the cryptographic address of the maker but not any link to FTX account that might be responsible, and as you say the ability to correlate an order with other positions
> Certain order types that may rest on the exchanges order book but either don't have a specific price or display doesn't make sense.
I suppose orders than are designed to only be consumed by a matching engine don't need to be made public unless they are matched.
The order book from the API is at the very minimum delayed (by network and protocol latency if nothing else) and aggregated/sampled (full feed is too big), so an insider can have an advantage of more complete and timely data.
That's for honestly run APIs, then an exchange can play some games with that feed if they want to...
It depends on the time, it's public after the fact, but not-public during the time gap where someone like Alameda could do front-running by managing to get in other transactions before the loser's orders get executed, or before any others get the chance to take that order.
You don’t need speed to front run someone you need special access, which Alameda had.
That said they are being accused of something much less sophisticated. They were allowed to take money out when they made money but didn’t have to pay money in when they lost.
Even if you have special access, if you need 40ms (500ms p999) to compute a square root, you're not gonna be able to make worthwhile decisions on the basis of this access
These are our observed latencies for their risk checks after sending millions of orders per day for months at a time (which doesn't sound like much, and isn't much, but is the entire order rate that they gave us while we were doing 0.5% of the maker volume on their exchange).
You’re stating confidently that python is orders of magnitude slower than it actually is because of some pseudo code, which you haven’t seen implemented, and you called into across a network link?
Arrogance, they thought they were smarter than the market.
There are people who make a living playing poker that are not intellectually gifted. Their secret? Do as you say, play boring, safe strategies that will guarantee you will make money in the long run. They might not run up 1000$ to 10000$ very often but they sure do win. However, remove discipline, add intellectual ability and an abundance of overconfidence and you get FTX and Alameda Research.
Judging from some of the videos that circulated from the Alameda CEO I'd say it's also a significant portion of incompetence. I'm not going to guess which one was more though.
Front running requires pretty invasive changes to the very performance critical parts of the trading engine. You have to analyse the queued trades, decide on a trading strategy and insert new trades, all without inserting too much latency.
It would be hard (but not impossible) to implement such functionality without dozens of software engineers being very aware of it's existence and the implications.
This kind of software change only touches the edges and can be done with much more plausible deniability. The exclusion to margin calls was a single if statement inserted by a single engineer with the justification Alameda were the primary market maker. The dashboard change might have been just a bug they avoided fixing (If you normally automatically margin call negative balances, why would your dashboard bother reporting negative balances?)
There was huge amounts of money to be made. They got too greedy, made a play for it, then the market dropped. If things kept going, it would have made them all a lot of money.
SBF, through his industry connections, was able to figure out how to take the difference while trading Bitcoin between different countries, as the premiums are different. It's basically a legal money printer.
I am baffled by why fraud was necessary. I guess it's just means to an end for "effective altruism".
Yeah its not as simple as putting two limit orders and collecting your fee. Market makers take huge risks when there is a big market move. When Luna crashed for example Alameda provided exit liquidity to traders and was left holding the bag.
A lot of people have said this, but that day was easily the best day to be quoting. There was lots of volume on both sides all day, even as the price increment became very large compared to the price
You mean kind of like how the US market works now with PFOF?
And the fact that by far the largest market maker in the US is also a hedge fund (two different companies with the same owner(s), where have we seen that before?).
Not an excuse. They had a programme for external liquidators giving some slack for trades taking the other side of liquidating positions, so Alameda should have used that. This looks worse.
In any case it's not needed: liquidators get the 3% initial margin so are usually in profit. For the cases when the market moves faster than that, they should have done what the better-run exchanges do and close the most leveraged positions from the opposite side: if lots of longs get liquidated in aggregate the shorts get their profit trimmed by the losses of the longs beyond maintenance margin, in order of leverage, which is fair enough when duly documented in the terms.
FTX and Alameda publicly represented that Alameda's relationship with the exchange was the same as any other market maker's, and any other market maker could sign contracts to become a counterparty of last resort by joining the Backstop Liquidity Provider program.
This seems flaky at best. Either becoming an extreme lapse of judgment - or intentional ignorance. His position as a higher up makes claiming the former difficult.
My claim to fame is that I dealt with SBF and Nishad to get some Python code for their api client merged in, the first non-FTX committer. I coded up a lot of the api functionalities that were missing. They never gave me a tip. A couple years later when I pitched for investment they declined it as they "were looking for more volume".
> If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
> Singh will definitely get prison time as well
But how long? Jerome O'Hara and George Perez were arguably more complicit in Madoff's scheme than anyone, having written the computer software to generate the fake investment return reports and even actively helped dupe the investigating regulators but were only sentenced to two and a half years in prison.
That's true, but likely factors were: they were in an adversarial power relationship with some of the other participants (notably: Madoff himself who repeatedly assured them that he actually made the trades that they reported but I fail to see how they could have been so gullible) and may have been put under significant pressure and it likely is a first offense all of which would result in a lesser sentence. But it still is obviously a very serious transgression, and none of their claims that they didn't know what was really going on seem to have fooled the jury.
Even the most kind reading of the situation leaves little doubt that they knew exactly what was going on.
> If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
Strange comment.
Are the engineers who made the code change responsible?? Do engineers need to be lawyers and financial gurus too, and evaluate every ticket they are given for possible illegality in every country the software is used??
Yes of course they need to know the law. Anyone who might potentially break the law during the course of their work needs to know what that law is. ‘Just following orders’ is not a defence.
This is very odd special pleading by programmers. Every industry needs to do this: journalists learn media law in their university degrees, architects have to learn the building regulations. Why is programming any different?
Because programming is usually applied to different industries. Yes, you should know the laws of your own industry (in tech that would be privacy, licenses, export rules, copyright, some patent basics etc.) but you can‘t know the law of each industry you write software for.
Holding people personally liable is the exception and not the norm. It makes sense too, like if the company lawyers say something is fine then you have to be able to trust them, unless it's something obviously wrong.
This is not an argument against programmers, like other professionals, learning the aspects of the law which are relevant to their job. Why should programming be the one profession where this is not required?
Because to be criminally liable for something requires both a) actually doing something that is against the law and b) doing so with intent (i.e. you knew what you're doing is against the law and you did it anyway... because you thought you will not get caught or just didn't care). It is then up to the prosecution to prove, beyond reasonable doubt, that you actually intended to break the law. (With the exception of strict liability crimes, which are limited in scope to minor infractions and things like drunk driving or statutory rape.)
You can still get sued in civil court of course, but that's not the state trying to put you in a cage and so the standard goes from beyond reasonable doubt to most likely.
If you're a coder coding shady shit for your shady employer, you most likely know you're doing so and there's typically some trace or record left. But coders are not investment bankers and in fact may not even know anything about investment laws and regulations. And it's completely unreasonable to expect them to know. I worked on many projects, including medical and education... if I had to question and investigate every executive decision impacting my work then I wouldn't get anything done.
"Mens rea" is a requirement for certain crimes, but not all, you definitely can be criminally liable for doing something without intent. The trivial example is murder vs manslaughter, the latter does not require intent but obviously can be and is criminally prosecuted.
Furthermore, even in cases where mens rea is required, it gets satisfied if you intended to achieve the prohibited result even if you thought that the result was permitted. "Intent" is not about intent to break the law, it's about the intent to do the thing that happens to be illegal. In this case, it matters if you knew what the thing you're making was going to be used for (e.g. hide some stuff from auditors) but your knowledge or ignorance of the relevant laws and regulations doesn't matter at all - as another poster noted, https://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat .
Sorry but this is completely wrong. “Mens rea” means knowing you were doing a particular thing. It doesn’t mean knowing that it was illegal.
E.g. if I take your wallet off of a table because I thought it was mine, I’m probably not guilty of theft. If I took it because I didn’t know theft was illegal, I probably still am.
In English courts, there’s some debate about a defendant’s ignorance of the law.
In this Chancery case from 2021, the judge mulls over what it means that a defendant is “unaware”. He considers the distinction between someone who knows about the relevant law and misunderstands it vs someone who doesn’t know at all. And the judge briefly wonders whether someone working in regulated activity (like finance) and completely unaware poses the most risk to the public.
The judge left the issue unsettled, but it raises the possibility that ignorance might count against a defendant. The Chancery Division handles business disputes, though, and I imagine the criminal courts have their own rules.
They won't until they do. When it's something seemingly egregious like this, it has the potential to be something that makes an example and changes curriculum for CS students across the country for decades.
I expect other engineers to know laws when creating things (not like having a JD). Accredited business schools in the US teach business law to their undegrads. It's absolutely not ridiculous or a stretch to have a similar expectation.
There's a big difference between the HN crowd shouting "they should know the laws!" vs. licensed and controlled professionals like architects and structural engineers that "follow the law" via established codes, which have clear boundaries that can be evaluated and prosecuted when violated.
> When it's something seemingly egregious like this
You don't even know what "this" is. So the BI engineer that stitches together data for a report should have known that combining these two values was illegal? What silliness.
‘clear boundaries that can be evaluated and prosecuted when violated.’
Have you ever looked at media law or libel law? It does not have clear boundaries, but journalists are still expected to follow the law. Journalists are not absolved of the responsibility because it’s complicated.
You just need to not break the law. It’s how it works. If you don’t want exposure to liability, you need to acquaint yourself with relevant law.
They absolutely have boundaries that a lawyer or prosecutor can use to make a case in a court of law. How do you think the law works? Interpretation of laws is a big part of how the common law system works.
If there are clear boundaries, there would be no need for interpretation. Interpretation is needed to resolve questions that arise because the boundaries are not clear.
> If there are clear boundaries, there would be no need for interpretation
You can't prosecute someone for murder just for insulting you. You can't prosecute someone for robbery if all they did was jaywalking. Media laws have clear boundaries sufficient for legal professionals to do their job. Building codes have clear boundaries sufficient for legal professionals to do their job.
I don't know, we hold other engineers responsible for the consequences of their work, personally I think the industry would be better off if we had more accountability for programmers.
But we don't hold the gun-industry accountable for mass-shootings. Maybe we should. But situation is a little bit similar here. The engineer created the gun. He didn't use the software to shoot people. Or maybe he did. The question is did he personally benefit from the change made more than his usual salary?
Or think about people who build bridges. They just follow the orders they get from higher ups. Bridge collapses. The higher-ups should be held accountable not the workers. The question I think is did the engineer here just follow orders? Perhaps he understood very little about finance, only about programming.
A gun has many purposes, some legitimate (law enforcement, "defense" etc), others less so. A code change that allows the company to do illegal things has no legitimate purpose.
I think what's up to debate is to what extent the developers were lied to regarding the purpose of the code. Maybe they were told it was for testing purposes only, or the higher ups managed to convince them that it's ok despite them questioning it. I suppose those things will come up during investigation and will certainly affect their sentences, but I don't think they will be off the hook that easily.
A `DELETE FROM` function can be used for good or bad. A gun can be used for good or bad (see the war in Ukraine, it can be used to murder or protect your family from murderers).
A code change excluding a known, named entity from safety checks is more like rigging a bridge to explode when your enemy crosses the bridge.
The gun manufacturers have a special law passed at the federal level to prevent civil liability (PLCAA). That is being chipped away at but it’s currently a special privilege they hold enacted by the legislature of the US.
> "The question is did he personally benefit from the change made more than his usual salary?"
I would guess the compensation structure at FTX included a lot of their own crypto tokens, since the company can mint those at no cost. And Alameda was a big holder of those FTT/Serum tokens.
So you're a software engineer who owns theoretically millions of dollars worth of FTT tokens, and then the boss comes to you and asks to make an exception for Alameda... Since you work at FTX, you're probably aware that Alameda holds and trades a lot of FTT. If you do the code change to make Alameda look better and maintain the value of your own crypto portfolio, there's no question that you're a part of the fraud.
> The question is did he personally benefit from the change made more than his usual salary?
That’s not the question — as in, it won’t be an element of any of the crimes he’s eventually charged with. The question is whether he was knowingly or recklessly involved in a scheme to defraud people.
And just generally, legal reasoning does frequently use analogies but they need to be tighter than the ones you’re using. This case isn’t much like building a faulty bridge.
I would think that in most crimes the motivation of the accused is a factor. Think about hate-crimes. They are not hate-crimes unless the person did them out of hate for the PURPOSE of hurting members of some minority.
Murder-in-first-degree means you didn't just recklessly cause the death of somebody, it means you did it intentionally, on purpose.
Was this engineer knowingly and intentionally helping to commit the crime? We don't know because we haven't seen many details or testimonies in this case. He must be assumed innocent until proven guilty. And proving him guilty must include proving he had criminal intent, Mens Rea. The court of public opinion as in Hacker News is of course a different matter.
If a bridge collapses it's the /engineer/ that's held accountable. Engineers sign off on things. They are accoutable to the product that they build and those that use their product. This guy calls himself a software engineer, so he should accept all the responsibility and accountability that goes with that title.
Your gun analogy is not fair and it does not translate well to the actual situation at hand. A gun engineer is not responsible for all the deaths the weapon causes. But said engineer will be very much accountable if the weapon blows up in the wielder's hands during normal use (even though practically this might not be the case due to liability disclaimers and all that).
We have case studies where deaths were caused by shit software, where the engineer of that wrote the software is clearly the accountable one.
Software engineers are some of the highest quality engineers there are. Objectively by a simple metric: lives ended through incompetence. Software engineers lead. No other engineering discipline comes close.
When an executive level manager is paid multiple times (or orders of magnitude) what an engineer is paid, I feel there should be a different assignment of responsibility and exposure to risk.
Because there’s not been a large obvious reminder for some time. In fact the last such reminder was before most currently living software developers were born.
In some cases, yes, they are held responsible. When I was trained on HIPAA compliance lawyers made it clear that individual employees could be held responsible for some violations. And yes, we restricted service availability based on region until we achieved compliance with GDPR and various regional PII/PHI data export laws.
I work in another regulated industry today, and throughout the year sign off on understanding various regulations and trainings of 3 letter agencies, that are essentially in place to indemnify the company in case of a violation. I’d expect financial services follows similar steps.
But if you only told someone to do it and haven’t actually done it yourself, are you guilty of breaking the law?
Yes, you are. Splitting responsibility between those who give orders and those who follow them to avoid penalties is exactly why both are persecuted and put in jail.
The person who commissioned this change, knowing the potential financial ramifications that it opened them and their depositors money up to, is the one who should be charged.
Really? I feel like intent would be really hard to prove.
"Hey, due to the way our accounting works I need you to subtract X from our dashboard."
"Ok boss."
Are programmers expected to know finance law? If I build a program for a dairy farmer am I supposed to know the laws of the interstate dairy trade? I can't believe that would be the case.
Nishad Singh wasn't some low-level coder. He was FTX's Director of Engineering.
> "Hey, due to the way our accounting works I need you to subtract X from our dashboard."
That is not what happened here. The fact alone that very few people knew about Alameda's special treatment, and, importantly, deliberately conspired to keep that treatment secret is a pretty strong indicator that he knew it was wrong.
Director of engineering != product manager in charge of deciding what features to include. If somebody tells engineering, “we will not use this feature illegally,” then it’s the fault of the higher ups who are possibly (?) trying to scapegoat somebody to protect themselves
Directors have specific, well defined legal duties to their company which includes a duty of fiduciary responsibility. That is why they're directors rather than "head of product" or "VP of marketing" or whatever other meaningless title people bestow on themselves. Saying "my boss told me to do it so it is not my fault" is nonsense because you have no boss beyond your shareholders.
A senior developer of anything in this area would be expected to fully understand the risk implications of this. I have written the code to closeout positions automatically multiple times in multiple jobs.
It may have been possible someone directed a junior developer to make this change, but then it would be a case of hunting down who told them. If that happened in my team I'd be documenting everything I saw and running, not walking, not walking briskly, out the door.
This said, nothing is black and white. For example, due to immature processes, they might have told the developer that the main account was only one of many accounts they can call on, but the code only allows for one, so we have to make an exception. I'd still be freaking out.
If Jamie Dimon asked a developer at the bank "hey can you have Chase ATMs allow these 10 accounts that are in my name to withdraw unlimited funds?" everyone involved would be in jail.
"For testing purposes, these 10 account numbers should be allowed to remove cash from any of our ATMs. The testers will put the money back." It doesn't sound that nefarious. If you told me this is how ATMs are currently being tested in the industry, I wouldn't be able to contradict you.
...A bench test of an ATM probably doesn't involve real money. No one in finance is stupid enough to use real money on production environments for testing purposes.
There is test... And there is PROD. Never do the two meet. Ever.
If someone out there does, please make yourself known so we can get the investigators over there ASAP.
You can test in production if you have multi-tenancy aware services, where tenancy is some string value like Foo to make sure reads to Foo can only read data that was written to Foo.
That's not testing in production, that's just the same as saying your test VMWare environment is in the same datacentre as your prod VMWare environment.
>If Jamie Dimon asked a developer at the bank "hey can you have Chase ATMs allow these 10 accounts that are in my name to withdraw unlimited funds?" everyone involved would be in jail.
This isn't true
I worked for a large bank. I managed data for their mortgages. We bought another bank and processed their mortgages with our systems. There were several thousand accounts that we called "friends of the <former CEO>" because they had really weird terms.
A noteworthy example is: $10m Home Equity loan, with 2% interest for 40 years, and the owner could refinance any anytime without any fees
In English, this means we can't repossess their loan, they pay a super low monthly payment, and the final amount is never really due.
I fail to see the equivalence. These are just loans with weirdly favorable terms. If the other bank had shareholders, then this would be a breach of the fiduciary duty. Otherwise it's just bad business? Bad business != fraud.
I'm not sure why would that be fraud - who would be the defrauded party there? Offering wildly different conditions or prices to different customers definitely isn't fraud.
The other customers have no standing there, they have no relationship whatsoever that contract between the bank and another customer, they have no legal expectation to get the same conditions or to know what conditions other customers get. If the bank explicitly and intentionally lied that no other customers get so favorable conditions, that might be false advertising but I'm not sure, I'd expect a reasonable court to interpret that a bank "telling your customers you don't and can't do this" is exaggeration/puffery (i.e. permissible) and doesn't have to literally mean that they're not doing that for anyone, it means that they absolutely refuse to do it for you.
I’m assuming the poster meant refinance with the same terms. So the borrower can get another 40 years to pay back the remaining balance anytime they like.
You're right. I believe the technical term is "recast" where you take all of the outstanding balance and spread it over the course of "the next 40 years" with the same interest rate.
Another fact I omitted is that the interest rate is 2%, but the minimum payment is lower. So the borrower is accumulating owed balance because they are paying less than interesting accruing.
Given the market of the last couple of years they may actually have been able to re-finance that loan with a different bank and gotten better terms. 40 years is a long time.
$10M ona 40 year term and a 2% rate is like $30k/mo in payments. I wouldn't say most people would think of $30k a month a super low payment.
And now that the bank has new ownership they might be able to refinance again and continue to kick the can down the road, but they're less likely to get as favorable of terms I'd imagine.
Your math is right. I forgot to mention than the minimum payment might be less than the interest rate.
And the technical term for the type of refinance is "recast" (iirc) - so the "new bank" honors the terms because it is a part of the originating documents.
Working on fintech and transaction rails? Probably. I had to know regulations when I worked in fintech. Plus, you don't have to know the law to be found guilty of breaking it.
The engineers working on this are innocent until proven guilty, but you'd better believe all internal comms, meeting notes, and commit messages will be scrutinized.
Someone had to ask for the system to behave this way, and that will have produced certain artifacts.
Engineers with knowledge may be cut deals to testify against the bigger players.
"When asked to clarify whether they were both gone, Bankman-Fried said that Wang was "scared" and Singh was "ashamed and guilty" because FTX customers' deposits had been lost."
Isn't that a strange thing to say? Singh is the guy who made the change, per Reuters, and this snake knew that.
Isn't it completely unscalable? I work for a big automaker, there's literally people whose only job is to be compliant and inform the necessary leads about it. There's hundreds of countries, each with very specific things. If I study everything, I can't code.
When knowledge arrives at my team, is already condensed to the point of: "in X country, you must tell the prices of a call if you show a phone number for assistance"
Why should I explore every loophole of law to be compliant? That's the companies job, not mine.
For some reason, I've seen a lot of people try to make arguments around FTX that completely miss the scale and malfeasance that occurred. This wasn't a case of "oh, you got some esoteric GAAP depreciation rule wrong". This was an engineering leader putting a ton of special cases in the code saying "For our most beloved partner, none of the rules apply, including letting them take unlimited amounts of customer funds. Oh, and be sure to hide this from the dashboards the rest of the company uses."
This is not hard. Nobody needs to be versed in the ins-and-outs of jurisdictional compliance rules to see this was blatant and egregious.
If any of this looks remotely familiar to any software devs out there, you should really re-examine your morals. Or at least hire a lawyer.
Down to the trivia level for an entire global company, sure, but this is a lot more general and bigger. Like if you have rules against accepting gifts from vendors, maybe you don’t remember if the threshold is $10 or $15, but you shouldn’t need to ask to know it’s not $30k in a suitcase.
I would say no. They just need to know how to implement what they are asked to implement.
Say you are an engineer working for a gun manufacturer. You need to know how to manufacture the gun. You don't need to know what it is used for or by whom or even how much it is sold for.
If you are aware that a crime is going on you in principle are required to report it, but not doing so is not nearly at the same level of crime as actually doing the crime. So here I think the court will look at two things?
Did the engineer know that a crime was being committed?
Did the engineer personally benefit from the proceeds of the crime more than their ordinary salary?
I am not a lawyer though so don't take my advise.:-)
That is a very bad analogy. Guns are not illegal, what people do with them might be. What these developers made had no lawful use. A better analogy would be if some engineers in a gun factory were making chemical weapons.
There are laws against chemical weapons but I don't think there are laws against producing any kind of software. It's more what you do with the software. Whereas with chemical weapons they are criminalized as such because it is clear they can be used only for one purpose.
That's a nice little fantasy. In the real world, competent developers with that level of domain knowledge mostly don't exist at any price. In the healthcare field where I work, not many developers have ever gone to medical school.
You're telling me a software engineer could make a change that allowed spending money a company could not legally spend and he had no idea about it? Come on. That is preposterous. At any respectable company alarm bells would be going off everywhere and fingers would all start pointing to that change. Theres virtually 0 chance that there was not intent.
i worked for a fintech startup in a similar space:
> Are programmers expected to know finance law?
in our case, we were. it was drilled in, and tested, reviewed, and audited. i’m not saying that something like this couldn’t have happened, but in my case anyone who would have been involved would definitely have known the legality.
Developers should know to ask questions when a weird request is made.
Developers presumably know how to think and have a vague idea of what the business does to know that a ask to futz with internal financials programmatically is fucking wierd.
IME, it depends on your chain of command. I've literally been reprimanded in my career for asking questions. My boss at that time was crap. I didn't choose him. Asking questions can very likely get you fired.
Also got reprimanded for disobeying an order at once; my boss — same one as above — would not take "no, we are in a regulated industry, and I cannot do that" for an answer. I ended up going behind his back, getting the approvals he should have gotten himself, and once I'd secured those, granted him the access he wanted. I also tried to escalate to his boss (my grand-boss) … but he didn't respond until it was all moot.
But there is a lot of stress when you're fearing for your job, even though you're just trying to do things by the book. I'm inclined to side with engineers, to a degree: the chain of command's responsibility is to never put eng in that position. (Although here, the eng in question seems far higher up than I am. I'm just a bottom rung eng…)
> Developers presumably know how to think and have a vague idea of what the business does to know that a ask to futz with internal financials programmatically is fucking wierd.
They should but IME they often don't, and even if they do, people are lazy. It's a struggle to get people to do the things they should do some days.
I'm in an industry with a lot of migrant workers, I was asked to write software that would change the time records for migrant workers so they never get overtime.
I said I wouldn't do it unless they showed me the legal advise saying that it was ok. The office sycophant piped up and said "I'll do it". From then on I stopped being invited to meetings and my job transitioned into answering the phone and then out the door.
I hope they jail the developers for 500 years, that's the sort of signal that needs to be sent.
You want Engineer in your job title? Then you say no, and you damned well ask questions, and you damned well make sure to leave the moment they make it impossible for you to act ethically.
This sounds great on paper. However, the reason "Engineer" matters is because regulation requires it. If my company is required to get a sign off from an Engineer before software is updated, then you can be 100% sure those who are qualified to sign off take their title seriously. Until then, it is just a fancy title.
My impression is that this title comes from the practice of "software engineering", not necessarily that the practitioners are licensed Engineers.
Right, "software engineer" is often used just as a synonym for "Programmer". That's just how the industry is, currently.
There are no regulations as to who can develop what software as far as I know. Whereas there are for who can design a bridge, act as your lawyer, or prescribe you medicine.
Yes and when we as software engineers / programmers act as if we don‘t care we should not be surprised if software engineering / programming gets regulated, too.
People gatekeeping the word “engineer” is a bit annoying, since the word “engineer” dates to at least 1380 and originally just means someone who works on engines. “Engineer” as a legally super special class of job is a thing that came much later and only ever applied to certain jurisdictions anyway.
“Software engineer” is just a synonym for “programmer”, in the actually existing practice of the English language.
And 'doctor' means someone with a PhD. I know a lot of doctors. However, when you talk about medicine, we mean 'Doctor' with an M.D. and they are literally held to higher standards of ethics and liability. They are licensed and people who practice professionally without a license are subject to legal ramifications.
Call yourself whatever you want, but that doesn't mean you get to define what 'Engineers' are and what ethics they are bound to. Just because you use the term in your title and say it is used properly in English, doesn't mean that you won't get treated any different than someone with a PhD demanding to be called Doctor and pretending there is no difference between them an and M.D.
Of course the word “doctor” means different things, just like “engineer”. The OP is the one who was trying to conflate them. It’s like if you told someone with a PhD in CS “if you want to be called ‘doctor’, you had better be able to heal sick people”.
In Denmark you need to hold a degree of engineering for you to call you an engineer of any kind. It's a protected term. As I remember, in the US it is not protected and anyone can call themselves engineers.
I don't know about finance but for HIPAA and CCPA, the answer is yes. Is there an accounting equivalent to the yearly, mandatory 20 minute compliance training videos?
Yes, in US fintech there are mandatory courses in anti-money laundering and know your customer laws that programmers are required to take along with everyone else.
I don’t know what exists in the crypto world operating in the Bahamas, but I’m not going to lose a lot of sleep if the FTX director of engineering winds up going to prison for this.
Ignorance of the law is never an excuse if you are found to be breaking the law. So if you think what you are doing is possibly in violation of the law you better bone up or ask a lawyer for a statement on letterhead that what you are doing is ok.
For C-level execs that is probably not going to work, but for people lower on the totem pole it may well give at least some relief. You might end up convicted anyway but with a more lenient sentence if the argument is considered believable.
There are blatantly illegal things you can do in any field of work. You need to be aware of what is and isn't within the law on a loose basis yes. Even labourers on a building site have to do some training to avoid breaching health and safety legislation (or at least to minimise the companies liability when they error).
You also need to have faith in the compliance team and senior management. If your company works in legally sticky territory like crypto doubly so.
If you are in finance or law it is a good idea to know what you can go to jail for. Engineers are people and people can go to jail for breaking laws they didn’t know about.
If you want to write code for a financial institution? You bet you should be expected to know what you are doing, and understand there are relevant laws, and also not violate those laws. It's not hard. I know the relevant laws to my domain of job.
Propably not, but a solid understanding of the rules and regulations, and legal requirements, of your field and thebindustry your working in is actually a pretty good thing.
If you work in a company where there is no one that has some idea about the laws that apply to what you do that you could check with, you would be a little concerned.
Interesting article! So Brady took "an equity stake in the company and [got] a signing bonus in crypto", then went on to make advertisements even though "The NFL has banned cryptocurrency and NFT sponsorships for its teams". Seems that he, or likely his lawyer and/or financial adviser, will have been evaluated the legitimacy since he's deep into caveat emptor territory. Like innocently buying a stolen car: you're unlikely to be in legal peril but you will lose the car (and gain a claim against the thief that sold it to you)
I think it depends a lot on the jurisdiction. In some countries there are laws around ethics and disclosure especially if you work in a certified occupation (i.e. a licensed profession, such as traditional engineering).
Software probably makes things even more hazy but in traditional engineering world there are very clear cut rules around professional ethics, personal liability and disclosure.
The real problem behind all these crypto companies is the people who make the money have no concept of what "integrity" is.
They aren't coming from a baseline assumption that their job is to protect and interests and the money of their clients.
Traditional banks, for the most part, have DNA built around protecting customer interests and customer money. Crypto companies have none of that attitude - behind every one of them is a sleazy tale of self interest and corruption.
My first introduction to this way of thinking was many years ago when I worked on a software development project and the project manager was extremely concerned about a single cent being wrong in the calculations - he taught me that with customer money you cannot get even a single cent wrong.
These crypto idiots are just young cowboys who see a giant pile of loot and don't have any concept of how to manage it in an ethical manner. They just wanted to work out how to gamble it all in the hope of more crypto gold. If there are crypto companies that have not yet had their rotten hearts exposed and gone bust, it's simply a matter of time.
Every single one of these companies will - and should - go bust - good riddance. It's a pity Robinhood won't go with them - the filthiest scumbags of all.
> The real problem behind all these crypto companies is the people who make the money have no concept of what "integrity" is.
You don't need integrity while "the line goes up". Integrity is only for when it goes down. Until recently, the line has been consistently going up. SBF was banking on it going up forever. If it had gone up forever, he would not have been caught!
While the line goes up, integrity just eats into potential profits. It's an extra cost. No business willingly spends extra money they don't have to. That's why regulation and oversight is mandatory.
> ...he taught me that with customer money you cannot get even a single cent wrong.
SBF gave an accounting on FTX holdings with an error margin of "plus-minus 10 billion dollars".
Can you imagine having error bars 20 billion dollars in size!?
For reference, companies with market caps in that range include: Tata Motors, Best Buy, Komatsu, Zoom, East Japan Railway, Mitsubishi Electric, Delta Airlines, or Panasonic!
Sit down and picture telling someone with a straight face that you may or may not have misplaced "value" on the same order of magnitude as an entire airline, or an electronics manufacturer with a worldwide presence built up over seven decades of growth.
"Only in darkness are we revealed. Goodness is not goodness that seeks advantage. Good is good in the final hour, in the deepest pit, without hope, without witness, without reward." -- Nardole
Terrible point of view, you need integrity regardless of whether the line goes up or down. As often, the line goes up DUE TO unethical behavior and poor integrity. The incentive to act without integrity is what often what drives the line going up, when it should have to begin with.
Yes, I can imagine having error bars in 20 billion dollars in size, its what the financial audit space does every single year. It's what keeps companies like you've listed in line, because you audit against a materiality.
> Traditional banks, for the most part, have DNA built around protecting customer interests and customer money.
I don't think we're living in the same world :) Traditional financial institutions are just as bad, if not worse, than most crypto companies. You just have look at all the financial system crashes and exchange frauds. A key difference is that the government is there to bail them out because they are tightly linked, and that traditional institutions know they'll be punished because of strict regulations. It's not about the actors, or some kind of fuzzy DNA/culture, but about government and regulation.
I think it's also important to note the discrepancy in transparency. Yes, FTX was just a centralized exchange that had little to do with the blockchain, but you were still be able to see some of FTXs balance movements on-chain, simply because they are forced to use ETH/BTC/FTT/etc. If we hadn't, FTX may have gotten away with what they're doing a lot longer. Nobody may have found out.
With traditional financial institutions you have almost no transparency. You have absolutely no idea what they're doing behind your back. All you can do is trust the government to eventually bail them out if they mess up. Or trust that they're scared enough of going to prison that they don't try shady things.
You clearly aren't aware of all the cryptocurrency exchanges that have gone bust. Exchanges are not banks, they are not supposed to act or even fail like banks. Exchanges only take a fee on every transaction. That is all they do. It is literally impossible to bankrupt an exchange if it is run honestly.
Banking meanwhile can fail even with honesty because of the nature of borrowing short and lending long.
> I think it's also important to note the discrepancy in transparency. Yes, FTX was just a centralized exchange that had little to do with the blockchain, but you were still be able to see some of FTXs balance movements on-chain, simply because they are forced to use ETH/BTC/FTT/etc. If we hadn't, FTX may have gotten away with what they're doing a lot longer. Nobody may have found out.
I think people might have noticed that customers could not withdraw funds, and the exchange declaring bankruptcy in any case.
>>My first introduction to this way of thinking was many years ago when I worked on a software development project and the project manager was extremely concerned about a single cent being wrong in the calculations
On one of of my previous contracting gigs (about 20 years ago), for a very large, USA-based financial services company, the VP hired me for a full month (at consultants pay rate, 40 hrs a week) to investigate and track down a 1-cent discrepancy in $4,000,000,000 under assets for a particular division that differed between two reports by exactly 1 penny(one generated on the mainframe/cobol system, and one generated on a custom pc based system).
Turned out it was a rounding error in like the 8th decimal place on the mainframe side. I thought it was crazy at the time - but guess his thinking was there is no difference between being a penny off, or a million dollars off - you need to be able to account for every cent.
It's not just crypto. The entire fintech space has an ideology that lines up far better with Silicon Valley than with Wall Street. The Wall Street mentality would dictate a very different course of action than the Silicon Valley mentality in many of the situations described in the cases brought by the DoJ and the SEC, and yet the Silicon Valley mentality seems to have been the guideline used by SBF/FTX -- perhaps because of a lack of experience dealing with customer funds, or perhaps due to ignorance of the seriousness of consequences.
Edge cases matter a lot more to Wall Street than to Silicon Valley. Wall Street is a world where the new hire on the desk gets a talking-to by the managing director for making an error that could have led to a big loss, and where people are regularly reminded not to put anything in writing that they wouldn't want to see on the cover of the New York Times. Silicon Valley is a world where "move fast and break things" is a central mantra, and sometimes those things that get broken are the rules.
This is why I'm very wary watching foreign developments in the payment space. Living in a country where contscyless payments and free instant transactions were a thing long before Apple and Google arrived with their products, these services seem to add very little except for a foreign third party. Sure, PayPal was around in case you needed to buy something online in another country, but I don't believe it's as deeply ingrained.
At the same time I read stories about other countries where people think it's completely normal that some third party app has replaced the bank's role as a payment processor, even going so far as to include these services within the banking environment itself.
The way I see a large amount of fintech is that business savy people see their banks struggle to get up to standards that were common elsewhere ten years ago and try to make a quick buck throwing together an implementation before the banks can get themselves together. These companies solves the needs of the end customer, but only patch over the underlying problems that keep building up because there is no reason to address them anymore.
How much can you really trust a company built on profiting off the failings of a basic institution underlying almost all commerce?
As Schumpeter observed, value creation is accompanied by creative destruction, and right now it looks like we're in the "creative destruction" phase when it comes to fintech.
It was one thing when in the early 2000s creative destruction was involving entities like pets.com, no-one was really hurt by those companies going down, but it's another thing when the company going down might hold your "savings" or owe you money as a SME, like Revolut or Klarna.
A license should be required to prove you understand your ethical obligations to handle anyone else's money.
It's sad that the entire crypto industry happened too fast for the regulations to keep up, with the unsurprising result that vast amounts of customer money have been lost and stolen - the precise reason for regulation.
I would not be surprised if many people have taken their own lives as a result of crypto losses arising directly from lack of integrity of the companies managing the customer money.
The loophole is that employees at hedge funds and investment advisers don't face the same licensing requirements as employees at banks and brokerages who deal directly with customers. There are people who trade billions of dollars of customer funds a week without any required regulatory exam or license.
He had a series 7? Did not know that. But, right, he was a trader with Jane Street, so he had to have a Series 55 and probably the Series 7, which is for brokers.
(Everybody in finance takes the SIE, the "securities industry essentials" exam. That should be required for programmers in finance.)
The only reason bitcoin and friends are “worth” anything at all is precisely because there are no regulations. If crypto companies had to play by the same rules as real fintech firms the whole thing would collapse. Why? Because the entire crypto space is nothing but hot air.
If exchanges and stuff had to play by any rules, they’d go out of business because there is no other reason for crypto’s existence but to run scams.
(Okay maybe it won’t entirely collapse but crypto certainly wouldn’t be valued anywhere near what it is now)
I've never been near code handling money, but "never put anything in writing that you wouldn't want to see in the New York Times" is something I've heard repeatedly at a big tech company too. It seems like pretty standard advice nowadays.
The "move fast and break things" slogan was by Zuckerberg at Facebook, though they've since abandoned it.
I’ve worked at market making firms in US and there were exceptionally strict controls and regulations. Engineers had to be properly qualified to even touch certain parts of the codebase and it potentially came with legal ramifications.
> Traditional banks, for the most part, have DNA built around protecting customer interests and customer money.
Would you feel comfortable wiring your money off to a bank account in the Bahamas? I wouldn't. I think safety is more about jurisdiction (and therefore regulations) than it is about what type of currency a business deals in.
Bank DNA has always coded for taking foolhardy risks with customer money. It wasn't until heavy regulation came into play that banks stopped going bust left and right, at least in the USA. Even under heavy regulation, you still see their true colors from time to time such as when they discovered risk loopholes in 2008 that led to the financial panic.
Until regulation hits crypto custodians, they will largely be fly-by-night yokels that go bust left and right, just like the first American banks did. After regulation hits, they will be just as safe as modern banks (and likely, many crypto custodians WILL be modern banks - see e.g. Fidelity entering the custody business recently.)
> The real problem behind all these crypto companies is the people who make the money have no concept of what "integrity" is.
The entirety of Wall street has no concept of what "integrity" is. The solution was heavy regulation. It happened to banks, and it will happen to crypto. Crypto custodians are speed-running banking regulation.
They only sell those to accredited investors - indeed, the counterparty in the famous lawsuit was a German bank who'd bragged about how they were smart traders playing with the big boys.
You have a point, but you may be thinking of the CDOs they and other sold, knowing that they were full of risky mortgages but laundering them through overly-chummy ratings firms.
> One of things that tends to boggle programmer brains is while most software dealing with money uses multiple-precision numbers to make sure the pennies are accurate, financial modelling uses floats instead. This is because clients generally do not ring up about pennies.
I find it funny that you’re associating integrity with Wall Street. From my perspective, Wall Street’s morals and ethics is not far off from Silicon Valley’s if not worse. The main difference is that Wall Street has mastered the art of adapting to regulations and lobbying politicians and their very own regulators. It’s not a secret that there’s a revolving door between top regulatory bodies and Wall St entities. Also while having private corporations like the DTCC and FINRA fool the masses into thinking that they’re public regulatory bodies, it doesn’t fool us. Wall Street has way more crooks than Silicon Valley. They’re just better at hiding and legalizing their theft and corruption. At lease Silicon Valley creates things with value for society.
Old Russian proverb: "when fish begins to rot, it starts from the head".
Yes these crypto bros are young grifters out for the big score with zero integrity or morals and hopefully they will look forward to spending their best years in a jail cell. But they are enabled and encouraged by a good old boys network of VCs, journalists, and other influential figures in the tech community. Madoff at least picked rich people as his marks; the media have blown up the likes of SBF as geniuses and encouraged ordinary people to invest money they can't afford to lose in crypto.
Do traditional banks protect customer interests? They may now after being forced to, but the UK government is deregulating the banking sector considerably to try and avoid losing even more face by London losing financial capital status, and I would not be surprised at all if we see banks taking stupid risks/being wilfully negligent again.
Let’s not forget that these regulations they’re getting rid of came about after 2008, when banks had to be bailed out by taxpayers around the world.
As they say, what causes more damage, the founding of a bank or the robbing of a bank?
> The real problem behind all these crypto companies ...
> Traditional banks, for the most part, have DNA built around protecting ...
Traditional banks lack of "integrity" has wrecked considerable more havoc than crypto companies. Actually, the impact of these exchange crashes are completely negligible compared to the financial crisis ~2007.
Be honest with yourself, do you really believe every single crypto company acts without integrity and ethics? If so, it's clear you haven't familiarized yourself with the whole industry. Plenty of crypto companies have strong controls around security, consumer protection, compliance, etc.
> Bankman-Fried had directed subordinates to update the software in mid-2020 to enable Alameda to maintain a negative balance on its account, the SEC complaint said.
And thus do we have another piece of evidence for why morals and ethics matter, even for software developers. I doubt they'll end up with liability, but I do hope they at least recognize and think about how their actions enabled this whole mess.
> When you should know it's criminal, "just following orders" isn't a great defense.
That's even true in the military if you're given illegal orders. It's called the "duty to disobey".
It's not enough that employees "should" know what's illegal and what's not in an exchange -- companies need to be held criminally negligent for employing people who don't know.
how would they know it's explicitly criminal though? i doubt most devs have enough understanding of their business domain, much less the regulatory frameworks to be able to confidently refuse to implement something because it's illegal.
At the very least they should be aware enough of potential wrongdoing to raise questions, and do so in written form. When you write exceptions that specifically only benefit one party and no others, there is always a reason to at least be suspicious.
What I’m struggling with is that what was done is not illegal in its self. It’s not necessarily suspicious in itself (from the perspective of a single dev working on tasks), unless you assume fraud. Of course we know fraud occurred so we can look back on it and have our perception of the request tainted.
If my boss came to me and said, “continue showing customer funds sent to our “sister” investment company in the staff dashboards” I wouldn’t find that suspicious. I would probably push back and say that might be confusing unless we separate out that amount and rename the total to something that denotes part of this value is with our sister company. But I would assume design incompetence and not fraud.
But then again if I was just one of a handful of devs that worked with the company I would probably find it suspicious, as I would confidently know that nowhere else in the codebase do we support a close integration with our sister investment company and should therefore know we shouldn’t treat them any differently.
Also the modification to exempt the investment company from risk rules does seem suspicious, unless again you believed there was an integration somewhere and believed investment risk mitigation rules were handled on the other platform or something.
Even if it was clearly criminal, what is one to do in such situation? Can you just quit the job and let it continue? Or are you actually need to be the one to call the cops to be legally safe at the expense of risking physical safety as those behind the crime may retaliate?
> I doubt they'll end up with liability, but I do hope they at least recognize and think about how their actions enabled this whole mess.
Singh is going to jail. He was an executive, not just a low-level employee, and was a pre-collapse billionaire. I have no doubt the evidence like this will show that he knew what he was doing was willingly fraudulent. Madoff's programmers each got 2 1/2 years.
>And thus do we have another piece of evidence for why morals and ethics matter,
It sounds like there's plenty of other evidence, but allowing a 'negative balance' hardly sounds like a smoking gun.
A negative balance is often how credit is displayed.
>Since Alameda didn't have the funds to meet these requests, Bankman-Fried directed Alameda to tap its "line of credit" with FTX to obtain billions of dollars in financing, the complaint said
The article actually says as much. Now as Chief Engineer it's possible he was aware it was a scam, but it's also possible he was just told they have an arrangement with Alameda that allows them to maintain a credit line.
Last time I got educated on this subject (required class for a CCW about 20 years ago) just getting arrested was predicted to net you a five figure legal bill. Get indicted, now we're six digits and climbing.
These guys are going to spend a good bit more than that.
And this is what really ruins crypto to me. With no actual legal protection, no trust, "code is law", am I expected to keep up with every pull request? And of course these exchanges are completely opaque on top of that.
There's many reasons to hate smart contracts, but this isn't one of them. The article is talking about changes to a codebase that's closed source and deployed with little scrutiny. None of this is applicable to reputable smart contract projects, which are open source and require some sort of consensus and/or vote for code changes. Using this as an argument against smart contracts makes as much sense as using the elections in russia as an argument against democracy.
Your very post says it -- "reputable." In this field, no matter the technology, reputation and trust are everything amidst fears of rug pulls and scams, and smart contracts don't replace the need for social trust.
It's hard to name any crypto organization that was seen as more reputable than FTX before this happened.
If we can't even trust someone with SBF's track record, what's left?
Speak for yourself. Before I read your full comment I assumed your last line was a literal joke.
Countless charlatans have run confidence scams (cons) in the crypto space, accuring money and attention around a centralized platform, in a tech area predicated on decentralized technology.
Living through the MtGox era, watching the corners of the Internet refer to the incident for a decade and then the Shocked Pikachu faces now? I just can't.
I don't care about crypto and "the masses". I invest in things I understand, and it hasn't _burnt_ me yet. I understand crypto and it's unique value prop and it sure as hell doesn't involve investing in or putting my money into a centralized platform. And certainly not one run by the blessed-ilk of Wall Street.
Once again, ever so slight skepticism for the win. It's truly unbelievable the irrationality people engage in when they think they're in on something even when they don't actually understand it!
"The line goes up" is a cautionary tale, and yet I think some folks really missed the whole middle section talking about the psychology that the vultures (NFT, centralized exchanges, etc) are preying upon when chasing explosive growth (or riches, on the other side of the equation).
> and smart contracts don't replace the need for social trust.
idk, a (still relatively) fat stack of crypto sitting on my Ledger would disagree.
thats so wtf to me-- from my perspective it was obviously squirrly from the start.
The guy showed up out of nowhere... suddenly being promoted by throwaway reddit accounts, claiming to have made more than ten billion on trades where claiming a million dollar payoff would have been surprising and dubious.
Their exchange specialized in offering almost anonymous retail traders access to leveraged trading on the most dubious of cryptocurrencies stuff popular exchanges won't carry and they carry a lot of bullshit. They even had varrious weirdo products 'index funds' including one called 'shitcoin index'.
When FTX acquired a derivatives clearing house I used, I pulled 95% of my account value out right away. I also warned my friends to stay away from FTX or anything related when I had the chance-- which wasn't often because it wasn't something most bitcoiners I encountered were particularly aware of (as mentioned, their service was more of a casino than an exchange-- big leverage for the most volitile crap).
So while I get how people that might have been in the right media bubbles might have thought it was reputable... but generally? Not a chance, at least not from my perspective.
Was the media critical? No-- there are reports that negative stories about SBF and FTX were actively suppressed in some newsrooms and it's already the case that scamcoiners are actively suing people who criticize them, so that's a big incentive to say nothing when you see a fraud.
I was mostly using "reputable" as a hand wavy way to eliminate the minority of smart contract projects that don't have such protections. As it relates to smart contracts or more broadly crypto, the point is that you can theoretically inspect every aspect of the system, rather than trusting whoever is running it won't do anything bad because they're "reputable". There are still failure modes for this (eg. hidden bugs, intentional or otherwise), but at least you can't pull off what happened at FTX.
>A bad actor can steal the voting tokens, and decide the vote. Even without that, I can't assume that the voters are aligned to my interests
Right, but all those attacks are harder to pull off and more visible than what the parent implied (ie. someone can unilaterally make changes without anyone finding out). Like I said in my previous comment, there are many issues with smart contracts, but the objection raised by OP is just really badly conceived.
>Even without that, I can't assume that the voters are aligned to my interests
This seems like an impossible demand to me. What type of system (democratic/non-democratic, crypto/non-crypto) ensures that the decision made will always align with everyone's interests?
This is just old-fashioned fraud. SBF had a Jane Street (trad fi) background. FTX didn't operate a blockchain or develop any blockchain technology on their own. They operated a trading platform that was run on Python and SQL. Then they embezzled funds and hid the trail.
This is not crypto, this is Enron, Theranos and Madoff. In DeFi, you check the code once, and that's what gonna run (exception being proxy contracts, but those are a red flag in itself).
People need to understand that money is debt. That is the source of all currency (yes, even gold and other 'hard' currency). If people cannot freely create it, then it's useless. The key is that you ought to be able to gauge the money creator on their trustworthiness, which hopefully you know as a member of a small community. Or, if you are creating money on the open market to large numbers of people, often it's useful to make your case to a nexus of trust (i.e., a bank) so that more people will accept your money
Unfortunately what happened here is a fraudster latched on to a movement that decried centralized trust and said that he is trustworthy and, when asked, pointed to some code that no one could inspect or understand. Simpletons believed him because they believed in the 'trust the code' hype, and believed his money was real. They were wrong.
But at the end of the day, expecting code to replace the core human emotion of trust, the source of money, is ridiculous.
>But at the end of the day, expecting code to replace the core human emotion of trust, the source of money, is ridiculous.
No, the point is for code to replace the institutions/people that people trust (ie. trusting the bitcoin network's consensus code, rather than a central bank), not "replace the core human emotion of trust".
Which works great until the core developers decide to rollback the “code is law” blockchain because there was a transaction they didn’t like. As it turns you still need to trust humans even in the world of “code is law”
Not really, the community ultimately decides whether to accept such decisions via distributed consensus. In this case a huge majority went along with it, but a minority did not; see Ethereum Classic, which still kinda exists
I don't think the movement cares about centralized trust? Instead it's a movement of get rich quick schemes
There's some separate movement that cares about decentralization, but they're only tangentially affected because they didn't use FTX, and they don't value their crypto in terms of stuff it can buy, but how it makes them feel
The origins of debt are ultimately material. Alice has a bushel of apples today, but Bob won't have a bushel of oranges until next month. The function of money is to decouple the general function of debt from its material details. In other words, you can have debt without money, but you cannot have money without an underlying debt.
Not a chance. I believe we're all mostly out here trying our best to make the numbers add up, when we're not (judiciously, I hope) looking the other way because some particular numbers offend our sensibilities. People are complicated, and economies are made of people. Money isn't a law of the universe, it's a technology we invented and (mis)apply in accordance with our values and desires.
It can be in barter clubs and with demurrage currencies. The problem with debt is that it takes two to pay off debt. The creditor has to spend off their savings at the same rate the debtor pays off their debt.
This type of synchronization requires a negative price signal on money though.
Money is money from the future. If I give you one dollar today, you value it not because you can instantaneously exchange it for a soda, but because you can exchange it for a soda tomorrow.
That is not how debt works, not even in a 100% reserve system.
You are never borrowing from the future. In a 100% reserve system you borrow from other people in the present. If you fail to repay you don't disappoint your future self, you disappoint another person in the present.
In a fractional reserve system loans create both debt and new money and the debt is always an obligation to pay back present money on a fixed schedule.
That's what happens when you decide to write your smart contract language in what is basically javascript and your smart contracts are interpreted in a stack based VM. Doubly so when your contract execution is entirely determined by the order in which Tx happen to get accepted.
It's actually sane when your contract is written in a non-turing-complete language with strong typing and the smart contract system has deterministic execution (i.e. you know the result when you submit the Tx and if the result would be different, the tx fails, preferably without charging you).
I'm convinced that one of the main issues with most smart contracts is that they have such weak guarantees and the guarantees they do have are brittle and hidden behind complex, opaque proofs & constraint systems.
>"That's what happens when you decide to write your smart contract language in what is basically javascript and your smart contracts are interpreted in a stack based VM."
What was the language and why did running it in a stack based VM lead to this? I'm curious about the intersection of the language and the type of VM it ran in.
The DAO “hack” was just a legitimate transfer of wealth from weak hands to smarter hands. Code is law. All “bugs” are law too. The only people who stole anything where the devs who reversed the ethereum blockchain…
Crypto only exists because it is unregulated. If it had to play by ethical, moral rules the entire space would collapse. The sole purpose of crypto is fraud. You take away the fraud and you get nothing but a solution in search of a problem.
Do you really believe that when Satoshi originally sat down to write the Bitcoin source code, he was thinking "I am going to write an open source software tool that's purpose-built for committing fraud"?
The fact that the software was not audited speaks more about the big names who invested in this clown than the clown himself. So weird how he publicly touted the EXACT OPPOSITE of everything he did and stood for.
I offer this as a service. Typically when there’s a big acquisition and an audit of the codebase is needed, I gather up a group of developers each paid about $250/hr to go through the codebase and conduct audits looking for any red flags and giving an estimation of existing technical debt.
When I did code dilligence, I just add it to a list of possible risks... or areas we'd like deeper investigation. Usually go back over it in follow up.
Neither have I but read some stuff about Tesla devs checking out the Twitter codebase or something?
It’s ridiculous but that’s the only data point known to me
That wasn't due diligence (which he'd waived) but a census of what he'd bought after the fact. They weren't validating the purchase, but helping him plan what to do with it.
The best liars believe their own lies. Having said that, it's evident that SBF was very well connected and the "old boys club" doesn't ask each other questions; "that would be rude, you know." That's probably how he raised so much money in the first place.
one time being a bit too careless with my command line friends of youtube-dl, mpd and git, I most certainly broke federal copyright laws with a single commit.
Is lying to Congress going to be added to his charges ?
In congressional testimony on May 12, he called FTX’s software “safe, tested and conservative.”By quickly unwinding the riskiest, most undercollateralized positions, the risk engine prevents build-up of credit risk that could otherwise cascade beyond the platform, resulting in contagion,” Bankman-Fried testified.He did not tell lawmakers about the software change to exempt Alameda. Indeed, he told investors that Alameda received no preferential treatment from FTX, the SEC complaint said
I'm not sure Singh should be held accountable. He is a programmer. He coded what his boss told him to.
This isn't like coding a bomb to kill people, where the programmer clearly has an ethical choice.
Singh was an employee, whose bosses had the job of ensuring what they asked him to do was legal, and he was not obliged to consider the ethics or legality with full view of the "big picture" nor even know or take the "big picture" into account.
That's the bosses job, that's why they're paid more, that's why they take more risk, that's why they may end up in prison.
Even where Singh knew something was up, it wasn't his place to be a financial expert. That's what the company's senior staff are supposed to be. Even where Singh had a partial knowledge or view of the entire company/companies or the legal framework they operated in, in his role as a programmer he was not obliged to have a full view (nor could he have).
This partial view of what's going on means his decisions can not be in full consideration. It's the bosses job to make the consideration. They failed.
To judge Singh in hindsight as if he knew everything we know now, or that the courts will come to know, is bizarre.
Brings up a question: what is the chance of blaming some of this on an "innocent" coding error? Can you get jail for not writing unit tests, swallowing an exception, a type conversion you did not expect?
Zero Chance. Singh already proved intent with his source code comment. Him claiming to be unaware of violating the law won't prevent him from getting almost certainly jailed.
> The Underhanded C Contest is an annual contest to write innocent-looking C code implementing malicious behavior. In this contest you must write C code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should perform some specific underhanded task that will not be detected by examining the source code.
> Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.
I believe that really depends on (a) how much harm it caused downstream, (b) how much of it is caused by your actions. Per Matt Levine's column today, it's not the whole problem that FTX had sloppy accounting – rather that SBF went around advertising the "sophisticated risk engine" which in reality was crap. This action accounts for fraud.
I don't see you being jailed for your random GitHub project being sloppy. However, if your closed source software that you advertise as 100% safe and secure gets used by a chemotherapy clinic, and then it comes out to be downright sloppy after killing 20 patients you may be accused of fraud. Anyway, not a lawyer so take it with a grain of salt.
I hope it also depends on a reasonable expectation of oversight and access controls when you're working in high-risk fields. Finance engineers should probably be expected to be familiar with laws concerning what they do.
You probably start by saying 'Hey I think this might not be fully compliant?' And if your boss comes back with anything other than a reasonable justification, you know there's something going on, and you should flag it higher up/leave that place
The market maker account is different from a regular customer account so the reflected balance will show the in-flight liabilities. Don't worry about it, the number is just an artifact.
It's amazing how fast the internal details are leaking out. It's very curious how Reuters could get hold of the source code and quickly identified the most relevant code. It seems someone inside FTX worked with Reuters.
After the Chapter 11 filing, all assets of FTX were seized from SBF and his former executive team was let go. John Ray, the interim CEO, the one who testified in front of Congress today, and his team are the likely source of the release.
Programmers should have a moral and defensible right to object to something that severely harms those who use their systems. Saying he was just doing what he was told fails to account for the fact that had he said no and flagged this as immoral, some customers may have their cash… maybe. Worst comes to worst he is fired but working at that level you’ll find a job in 5 mins and have sufficient capital to weather the storm. I’m a strong believer that ethics and basic philosophy should be taught as part of a cs curriculum. For precisely events like this.
I find it a bit surprising that only a few people knew about this code change. I expect other engineers found that piece of code and probably didn't ask any questions. It's normal after working on a codebase for a while to explore all the different branches. It takes a few years though, from what I gather the codebase was only 2-3 years old, so it's possible no one noticed.
I think this revelation points to the further guilt of SBF and his excuse that "he was incompetent" will fall face down under scrutiny.
The comments about engineering ethics are missing the point. Gary Wang and Nishad Singh are criminals who have each *personally* stolen $100mm or more from FTX customers. The fact that they also wrote code to hide this theft seems irrelevant.
Side note but I do not like that font Reuters uses, it feels like it is mixed case with the different sized characters even when it isn't mixed case. It's messaging me like comic sans.
This is a TTF hinting problem that shows up on Windows (and possibly Linux), but not on the Retina MacBooks the designers built and checked their sites on.
https://archive.ph/ijeyN