Author | TaxDAO

Wu said blockchain reported on July 28th the "Full text of the bizarre case: Bybit payroll manager stole a large amount of USDT, Singapore court explains the property attributes of cryptocurrency", which caused a lot of discussion in the industry. This article will analyze and summarize from the perspective of financial management.

Event Summary

Crypto exchange Bybit sued Ms. Ho, who was responsible for paying salaries within the company, for abusing her position by transferring a large amount of USDT to an address she secretly owned and controlled. On July 25, the General Division of the Singapore High Court upheld the ruling that Ms. Ho should immediately pay Bybit all the transferred funds and interest.

Event details analysis

1. ByBit Fintech Limited ("ByBit") seeks a judgment against the first defendant, Ho Kai Xin ("Ms. Ho"). The allegation against her is that she breached her employment contract, abused her position, transferred some USDT to "addresses" that she secretly owned and controlled, and some fiat currency to her own bank account. The primary relief sought is a declaration that Ms. Ho is custodial for USDT and fiat currency for ByBit. Therefore, ByBit seeks the return of the same or traceable proceeds, or payment of an amount of equal value.

From the above details it can be concluded that:

1. Ho alone has full control over the cryptocurrency and fiat currency accounts related to salary, without multi-level authorization;

2. There are major loopholes in the fund control process (the lack of internal control related to the account is a major loophole even if the loss is only 1 US dollar).

2. As part of her duties, Ms. Ho maintained a Microsoft Excel sheet that recorded cash and cryptocurrency payments due to ByBit employees each month (the “Fiat Excel File” and the “Crypto Excel File”, respectively). ByBit employees could and did frequently change their designated addresses by communicating the new addresses to Ms. Ho, who would then update the Crypto Excel File. Only Ms. Ho was able to update the Crypto Excel File, and only she had access to the files, except for the need to submit the Crypto Excel File to her direct supervisor, Casandra Teo, for approval each month.

From the above details it can be concluded that:

1. The collection process of the payroll address is relatively casual and can be modified at will without leaving any traces;

2. The review of the payroll address is not only formal, but the review data is from a single source, and there is no way to confirm whether the receiving address is real or forged.

3. On September 7, 2022, ByBit discovered eight unusual cryptocurrency payments (the “Abnormal Transactions”) that occurred between May 31 and August 31, 2022, involving large amounts of USDT transferred to four addresses (which I will simply refer to as Addresses 1, 2, 3, and 4). A total of 4,209,720 USDT (the “Crypto Assets”) were transferred. USDT gets its name because its value is pegged to the U.S. dollar, and each USDT confers a contractual right to its holder (i.e., a “verified customer” of the issuer, Tether Limited) to redeem their USDT for U.S. dollars. These Abnormal Transactions were compiled into an Excel spreadsheet (the “Reconciliation Excel File”), and Ms. Ho was assigned the task of interpreting the discrepancies. Ms. Ho initially attributed the unusual transactions to an unintentional mistake or technical error and offered to calculate the amount that needed to be recovered from ByBit’s employees.

From the above details it can be concluded that:

1. Bybit should have an internal reconciliation process, but the time is relatively delayed, which may be related to the fact that the backend support cannot keep up with the high volume of business;

2. The cost of patching up problems afterwards is far greater than the cost of planning beforehand.

4. ByBit also found that Ms. Ho caused $117,238.46 (“Fiat Assets”) to be paid into her personal bank account in May 2022. It is undisputed that Ms. Ho was not entitled to the fiat currency.

From the above details it can be concluded that:

1. The fiat currency accounts were also compromised, which was puzzling. For traditional work such as paying salaries in fiat currency, there should be countless cases of processes and tools;

2. Even if payment and authorization need to be handed over to HR for reasons of salary confidentiality (part of the work is out of financial control), the basic payroll preparation, bank payment actions and authorization also need to be separated.

Financial management concepts for Web3

After years of development, Web3 has not only produced many business giants, but is also attracting more and more people from Web2. Combined with the evolution of the regulatory and compliance environment in the past two years, the necessary financial management ideas and methods need to attract the attention of more and more Web3 companies.

1. Protect the security of crypto & fiat currency accounts: isolate risks, separate basic information collection nodes, operation nodes and authorization nodes, and verify the same information from different sources at each node to avoid having only one source of information and being unable to compare and trace it.

2. Financial verification mechanism: such as regular reconciliation and bookkeeping, verifying the same information from different sources, to avoid having only one source of information and being unable to compare and trace the source, the frequency should not exceed one month. The verification mechanism ensures a "business closed loop" (I can't think of a better word to replace "closed loop"), that is, the occurrence of an event and whether it has occurred correctly and on track are mutually verified.

3. Accounting records - including cryptocurrencies: Complete and valid accounting records and traceable chains of evidence will greatly reduce the risk of internal control failure, and use accounting records for business management and external compliance obligations (the collapse of FTX is also related to its chaotic accounting records).

4. Necessity of internal control: It is important to have a sense of business management and internal control. If you can use excellent automated management software that has internalized a lot of practical experience in internal control, accounting, and taxation, you can maximize the guarantee that your crypto business will be stable and long-term.