Bybit Payroll Manager's Self-theft Analysis: Vulnerabilities in Blockchain Enterprise Financial Management
Original | TaxDAO Translator | WuBlockchain The Singapore High Court, in a verdict on July 24th, stated that cryptocurrency is typically considered property. In this case, the exchange Bybit sued Ms. Ho, who is responsible for salary payment, for transferring a large amount of USDT to an address she secretly owns. The court ruled that Ms. Ho should immediately repay the transferred funds and interest to Bybit. The following is the link to the original Taxdao article:https://mp.weixin.qq.com/s/c8h5gmXZiuQRY4uirmf9IQ Event Summary Cryptocurrency exchange Bybit has sued Ms. Ho, who is responsible for the company’s payroll, for abusing her power by transferring a large amount of USDT to addresses she secretly owns and controls. On July 25th, the Singapore High Court’s general court upheld the verdict that Ms. Ho should immediately pay Bybit all the transferred funds plus interest. Detailed Event Analysis ByBit Fintech Limited (“ByBit”) seeks a judgment against the first defendant, named Ho Kai Xin (“Ms. Ho”). She is charged with breaching her employment contract, abusing her position by transferring some USDT to an “address” she secretly owns and controls, and transferring some fiat currency to her own bank account. The main relief sought is a declaration that Ms. Ho is holding USDT and fiat currency on trust for ByBit. Therefore, ByBit requests the return of the same or traceable proceeds or payment of an equivalent amount. From the details above, we can deduce: ● Ms. Ho solely controls cryptocurrency and fiat currency accounts related to payroll, without multi-level authorization. ● There are significant flaws in the funds control process (any control deficiency related to the accounts, even if it results in a loss of just $1, is a major flaw). 2.As part of her duties, Ms. Ho maintained a Microsoft Excel spreadsheet, which recorded cash and cryptocurrency payments to be made to ByBit employees each month (referred to as “Fiat Currency Excel File” and “Cryptocurrency Excel File”). ByBit employees can and indeed often change their designated addresses by communicating new ones to Ms. Ho, after which Ms. Ho would update the Cryptocurrency Excel File. Only Ms. Ho could update the Cryptocurrency Excel File, and only she had access to these files, except that she had to submit the Cryptocurrency Excel File to her direct superior, Casandra Teo, for approval every month. From the details above, we can deduce: ● The process of collecting payroll addresses is rather casual, can be modified at will, and leaves no trace. ● The audit of payroll addresses is not only formal but the audit data comes from a single source, making it impossible to verify whether the receiving address is genuine or fabricated. 3. On September 7, 2022, ByBit discovered eight unusual cryptocurrency payments (“anomalous transactions”) that occurred between May 31, 2022, and August 31, 2022. These transactions involved the transfer of a large number of USDT to four addresses (which I will simply refer to as Address 1, 2, 3, and 4), totaling 4,209,720 USDT (“cryptocurrency assets”). The USDT is so named because its value is pegged to the US dollar. Each USDT confers upon its holder (i.e., the “verified customer” of the issuer, Tether Limited) contractual rights to exchange their USDT for US dollars. These anomalous transactions were compiled into an Excel spreadsheet (“Reconciliation Excel File”), and Ms. Ho was tasked with explaining these discrepancies. Ms. Ho initially attributed the anomalous transactions to unintentional or technical errors and proposed calculations for the amounts to be reclaimed from ByBit employees. From the details above, we can deduce: ● Bybit should have a reconciliation process internally, but it lags behind, possibly due to the high volume of transactions and the back-end support not being able to keep up. ● The cost of remedying issues after they have occurred is far greater than the cost of planning ahead. 4. ByBit also found that Ms. Ho had caused $117,238.46 (“fiat assets”) to be paid into her personal bank account in May 2022. It’s undisputed that Ms. Ho had no right to the fiat currency. From the details above, we can deduce: ● Even the fiat currency account was compromised, which is puzzling. For such traditional tasks as payroll in fiat currency, there should be countless process and tool examples. ● Even if, for the sake of salary confidentiality, payment and authorization need to be handled by HR (with some tasks outside of financial control), the basic tasks of making the salary table, bank payment actions, and authorizations should be separated. Financial Management Concepts Applicable to Web3 With the development of Web3 over the years, not only have many business giants emerged, but more and more Web2 people have also joined the fray. Considering the evolution of regulatory and compliance environments in recent years, it’s crucial for more and more Web3 companies to pay attention to the necessary financial management concepts and tools. 1.Protect the Security of Cryptocurrency & Fiat Accounts: Isolate risks by separating data collection nodes, operational nodes, and authorization nodes.At each node, verify the same piece of information from different sources. This prevents reliance on a single source of information, ensuring that there’s a way to trace and compare information back to its origins. 2. Financial Verification Mechanisms: Implement regular reconciliation and accounting. Similarly, verify the same piece of information from different sources, ensuring that there’s a way to trace and compare.This should be done no less frequently than once a month. Verification mechanisms ensure the “business cycle” (a placeholder term used for the original “闭环”) — that is, validating the occurrence of a transaction and its accuracy. 3. Accounting Records, Including Cryptocurrencies: Comprehensive and valid accounting records, combined with a traceable evidence chain, can significantly reduce the risk of internal control failures. Utilizing accounting records for business management and meeting external compliance obligations is crucial. (The downfall of FTX has a certain connection with its chaotic accounting records.) 4. The Necessity of Internal Controls: What’s important is to have a sense of business management and internal controls. If you can integrate excellent automated management software with extensive practical experience in internal control, accounting, and taxation, you can ensure the long-term stability of your crypto venture. Follow us Wu Blockchain is free today. But if you enjoyed this post, you can tell Wu Blockchain that their writing is valuable by pledging a future subscription. You won't be charged unless they enable payments. |
Older messages
Interpreting Taiwan's Financial Supervisory Commission's Draft Guiding Principles
Monday, August 14, 2023
Original | Abmedia WuBlockchain is authorized to edit and translate Link: https://abmedia.io/exclusive-taiwan-crypto-regulation-draft According to multiple sources, ABmedia has obtained the draft
WuBlockchain Weekly: PayPal Launches PYUSD, Dai Savings Rate Increased to 8%, US July CPI Annual Rate at 3.2% and …
Monday, August 14, 2023
1. Summary of This Week's CPI Data a. US CPI Unadjusted Annual Rate for July Stands at 3.2% link In the United States, the non-seasonally adjusted Consumer Price Index (CPI) for July registered an
Weekly Project Updates: Base Mainnet Officially Launched, Debank Initiates L2 Testnet, Saddle Finance and SpiritSw…
Monday, August 14, 2023
1. Ethereum's Weekly Summary a. Highlights from the 115th ACDC link On August 12th, Christine Kim, the Vice President of Research at Galaxy, summarized the 115th Ethereum All Core Developer's
Asia's weekly TOP10 crypto news (Aug 7 to Aug 13)
Monday, August 14, 2023
Author:Crescent Editor:Colin Wu 1. Hong Kong's weekly summary 1.1 HKVAX Approved as the Third Compliant Exchange in Hong Kong link On August 11th, the Hong Kong Virtual Asset Exchange (HKVAX)
After the opening of retail trading, Hong Kong's five key points of cryptocurrency policy in the coming year
Tuesday, August 8, 2023
On August 3, the HashKey and OSL trading platforms announced that the No.1 and No.7 licenses were officially upgraded to become licensed trading platforms for retail users in Hong Kong. The HashKey
You Might Also Like
🥛 $BTC supply crunch incoming? 📈 These charts say yes...
Thursday, September 19, 2024
PLUS: RWAs just hit an all-time high in total value! 🏆
Trump involved in Bitcoin transaction in New York’s PubKey bar
Thursday, September 19, 2024
Former President Trump assisted in completing a Lightning transaction to buy burgers for fans. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
DeFi & L1L2 Weekly - 🚀 Ethereum on-chain stablecoin volume reaches all-time high; Sky launches SKY and USDS
Thursday, September 19, 2024
Ethereum on-chain stablecoin volume reaches all-time high. USDC launches on Sui blockchain and is available in Brazil and Mexico. Sky launches new tokens SKY and USDS. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
DeFi & L1L2 Weekly - 🚀 Ethereum on-chain stablecoin volume reaches all-time high; Sky launches SKY and USDS
Thursday, September 19, 2024
Ethereum on-chain stablecoin volume reaches all-time high. USDC launches on Sui blockchain and is available in Brazil and Mexico. Sky launches new tokens SKY and USDS. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Analysis of the impact of the Fed's 50bps rate cut on the future market
Thursday, September 19, 2024
At its September meeting, the Federal Reserve cut rates by 50 basis points, with its monetary policy statement emphasizing the goal of maximum employment. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
🥛 Fed cuts 50 bps 🔪 Here’s the market’s reaction...
Wednesday, September 18, 2024
PLUS: 5 reasons to stay in the market! 🔍
Bitwise CIO likens Ethereum to Microsoft, bets on underappreciated dominance despite bearish sentiment
Wednesday, September 18, 2024
Hougan believes that despite market doubts, Ethereum still leads in DeFi assets and institutional adoption, much like Microsoft's role in tech. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Binance co-founder publishes a long article responding to the recent coin listing standards
Wednesday, September 18, 2024
Author: He Yi ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Earning with AI part 2
Tuesday, September 17, 2024
We've got an easy series to get you into the onchain AI space. You'll earn OLAS while learning the easiest way to launch AI agents and get 130% APY Flipside Crypto You can earn with onchain AI.
🥛 We’re moving to Bhutan ✈️ Here’s why...
Tuesday, September 17, 2024
PLUS: $MSTR has outperformed $BTC by 300% since Jan 2023 – here's how they did it...