Bybit Payroll Manager's Self-theft Analysis

Original | TaxDAO

Translator | WuBlockchain

The Singapore High Court, in a verdict on July 24th, stated that cryptocurrency is typically considered property. In this case, the exchange Bybit sued Ms. Ho, who is responsible for salary payment, for transferring a large amount of USDT to an address she secretly owns. The court ruled that Ms. Ho should immediately repay the transferred funds and interest to Bybit.

The following is the link to the original Taxdao article:https://mp.weixin.qq.com/s/c8h5gmXZiuQRY4uirmf9IQ

Event Summary

Cryptocurrency exchange Bybit has sued Ms. Ho, who is responsible for the company’s payroll, for abusing her power by transferring a large amount of USDT to addresses she secretly owns and controls. On July 25th, the Singapore High Court’s general court upheld the verdict that Ms. Ho should immediately pay Bybit all the transferred funds plus interest.

Detailed Event Analysis

ByBit Fintech Limited (“ByBit”) seeks a judgment against the first defendant, named Ho Kai Xin (“Ms. Ho”). She is charged with breaching her employment contract, abusing her position by transferring some USDT to an “address” she secretly owns and controls, and transferring some fiat currency to her own bank account. The main relief sought is a declaration that Ms. Ho is holding USDT and fiat currency on trust for ByBit. Therefore, ByBit requests the return of the same or traceable proceeds or payment of an equivalent amount.

From the details above, we can deduce:

● Ms. Ho solely controls cryptocurrency and fiat currency accounts related to payroll, without multi-level authorization.

● There are significant flaws in the funds control process (any control deficiency related to the accounts, even if it results in a loss of just $1, is a major flaw).

2.As part of her duties, Ms. Ho maintained a Microsoft Excel spreadsheet, which recorded cash and cryptocurrency payments to be made to ByBit employees each month (referred to as “Fiat Currency Excel File” and “Cryptocurrency Excel File”). ByBit employees can and indeed often change their designated addresses by communicating new ones to Ms. Ho, after which Ms. Ho would update the Cryptocurrency Excel File. Only Ms. Ho could update the Cryptocurrency Excel File, and only she had access to these files, except that she had to submit the Cryptocurrency Excel File to her direct superior, Casandra Teo, for approval every month.

From the details above, we can deduce:

● The process of collecting payroll addresses is rather casual, can be modified at will, and leaves no trace.

● The audit of payroll addresses is not only formal but the audit data comes from a single source, making it impossible to verify whether the receiving address is genuine or fabricated.

3. On September 7, 2022, ByBit discovered eight unusual cryptocurrency payments (“anomalous transactions”) that occurred between May 31, 2022, and August 31, 2022. These transactions involved the transfer of a large number of USDT to four addresses (which I will simply refer to as Address 1, 2, 3, and 4), totaling 4,209,720 USDT (“cryptocurrency assets”). The USDT is so named because its value is pegged to the US dollar. Each USDT confers upon its holder (i.e., the “verified customer” of the issuer, Tether Limited) contractual rights to exchange their USDT for US dollars. These anomalous transactions were compiled into an Excel spreadsheet (“Reconciliation Excel File”), and Ms. Ho was tasked with explaining these discrepancies. Ms. Ho initially attributed the anomalous transactions to unintentional or technical errors and proposed calculations for the amounts to be reclaimed from ByBit employees.

From the details above, we can deduce:

● Bybit should have a reconciliation process internally, but it lags behind, possibly due to the high volume of transactions and the back-end support not being able to keep up.

● The cost of remedying issues after they have occurred is far greater than the cost of planning ahead.

4. ByBit also found that Ms. Ho had caused $117,238.46 (“fiat assets”) to be paid into her personal bank account in May 2022. It’s undisputed that Ms. Ho had no right to the fiat currency.

From the details above, we can deduce:

● Even the fiat currency account was compromised, which is puzzling. For such traditional tasks as payroll in fiat currency, there should be countless process and tool examples.

● Even if, for the sake of salary confidentiality, payment and authorization need to be handled by HR (with some tasks outside of financial control), the basic tasks of making the salary table, bank payment actions, and authorizations should be separated.

Financial Management Concepts Applicable to Web3

With the development of Web3 over the years, not only have many business giants emerged, but more and more Web2 people have also joined the fray. Considering the evolution of regulatory and compliance environments in recent years, it’s crucial for more and more Web3 companies to pay attention to the necessary financial management concepts and tools.

1.Protect the Security of Cryptocurrency & Fiat Accounts:

Isolate risks by separating data collection nodes, operational nodes, and authorization nodes.At each node, verify the same piece of information from different sources. This prevents reliance on a single source of information, ensuring that there’s a way to trace and compare information back to its origins.

2. Financial Verification Mechanisms:

Implement regular reconciliation and accounting. Similarly, verify the same piece of information from different sources, ensuring that there’s a way to trace and compare.This should be done no less frequently than once a month. Verification mechanisms ensure the “business cycle” (a placeholder term used for the original “闭环”) — that is, validating the occurrence of a transaction and its accuracy.

3. Accounting Records, Including Cryptocurrencies:

Comprehensive and valid accounting records, combined with a traceable evidence chain, can significantly reduce the risk of internal control failures. Utilizing accounting records for business management and meeting external compliance obligations is crucial. (The downfall of FTX has a certain connection with its chaotic accounting records.)

4. The Necessity of Internal Controls:

What’s important is to have a sense of business management and internal controls. If you can integrate excellent automated management software with extensive practical experience in internal control, accounting, and taxation, you can ensure the long-term stability of your crypto venture.