REDACTED DOCUMENT- Exhibits of Matthew Beville Declaration to[124] Order on Sealed Motion for Leave to File Document Under Seal,,, Exhibit A (Redacted) by BAM MANAGEMENT US HOLDINGS INC., BAM TRADING SERVICES INC.. (Attachments: # (1) Exhibit B (Redacted), # (2) Exhibit C (Redacted), # (3) Exhibit D (Redacted), # (4) Exhibit E (Redacted), # (5) Exhibit F (Redacted))(McLucas, William)
Page 1 Declaration of Matthew
Beville Ex. DPage 2 EXHIBIT 7Page 3
UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
SECURITIES AND EXCHANGE
COMMISSION,
)
)
)
Plaintiff,
)
)
v.
)
) Case No.
BINANCE HOLDINGS LIMITED, BAM ) 1:23-cv-01599-ABJ
TRADING SERVICES INC., BAM
)
MANAGEMENT US HOLDINGS, INC., )
AND CHANGPENG ZHAO,
)
)
Defendants.
)
______________________________)
VIDEOTAPED DEPOSITION OF ERIK KELLOGG
THURSDAY, AUGUST 24,
9:50 A.M.
Washington, DC
REPORTED BY:
SHERRY L. BROOKS,
CERTIFIED LIVENOTE REPORTER
JOB NO. 230824SLB
GRADILLAS COURT REPORTERS
(424) 239-2800Page 4 11:
A.
No.
11:
Q.
What due diligence -- you mentioned the
11:
11:
11:
diligence you did on them.
What diligence did you do?
A.
So that would have been -- that would have
been the asking to see third-party -- any -- whatever
third-party reports they are willing to provide us,
which is when they provided the ISO and SOC 2 report.
On top of that, we asked them to fill out
our own security due diligence questionnaire and then
a little bit later on we created a custody
solution-specific security questionnaire, which was
given and asked to be filled out for any current and
future custody solution providers.
11:26
Q.
And it's your understanding that the SOC
report that you received covered the solution that
Binance provided to Binance.US -- that Binance
Holdings provided to Binance.US?
11:26
A.
Yes.
11:26
Q.
And what was the date of that SOC
report?
11:26
A.
11:26
That's my understanding.
I don't recall.
It was -- it was -- I
don't recall.
Q.
What else did you do when you first
started to get an understanding and comfort about the
GRADILLAS COURT REPORTERS
(424) 239-2800Page 5 11:
second.
THE VIDEOGRAPHER:
The time is 11:28 a.m.
We are now off the record.
11:
(Discussion held off the record.)
11:
THE VIDEOGRAPHER:
11:
The time is 11:30 a.m.
We are now on the record.
MS. FARER:
Mr. Beville is going to ask a
clarifying question so that we're all on the same
page as to the testimony that you just provided.
11:30
MR. BEVILLE:
So, Erik, were you
describing a network tab?
11:30
THE WITNESS:
Yes.
11:30
MR. BEVILLE:
So were you describing
testing of the messages communicated across the
cables connecting the machines in your AWS
environment with the machines in the BHL AWS
environment?
11:30
THE WITNESS:
Yes.
11:30
MR. BEVILLE:
And so when you were
referring to auditing those messages, you were
capturing the actual electronic zeros and 1s moving
between the machines, decoding them, and confirming
they were as expected?
11:30
THE WITNESS:
11:30
MS. FARER:
Correct.
Thank you.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 6 11:
and his team decide what products or services we
built for customers.
Q.
is the only person that can
give you information about the changes in the key
shard protocol for Binance's cold wallets?
11:
A.
Yeah, at that time.
11:
Q.
Why was he the only person that had that
information?
11:37
A.
I don't know.
11:37
Q.
As the chief information security officer,
by that point you've been there almost -- you know,
at least six months.
your role that all of the assets and keys were secure
with so little insight about what was happening?
11:37
A.
How did you get comfortable in
I had no reason to believe otherwise at
that time.
And we have done -- we did do -- my team
did do some initial risk assessment on PNK being the
controlling factor, you know, the number of shards
needed to whitelist any wallet addresses to move
assets off of our platform.
11:38
Q.
What did you do to test that?
11:38
A.
I asked the clearing team to do a test for
me for the whitelisting just to see what that looked
like.
We did security testing for access controls
GRADILLAS COURT REPORTERS
(424) 239-2800Page 7 11:
11:
Q.
And when you said you asked the team to do
a test for whitelisting -- correct me if I'm wrong,
but -- are you asking -- are you saying to transfer
to a whitelisted wallet or are you saying to
establish a whitelisted wallet?
11:
around PNK itself.
A.
No, just to establish a new whitelisted
address.
Q.
Isn't it the case that to establish a
whitelisted address you need a full quorum of the key
shards, meaning all of the keys need to vote to
agree?
11:39
A.
Correct.
11:39
Q.
So how is it that you are asking your team
to implement this test if some of the key shards are
held by Binance.com?
11:39
A.
So I asked the clearing team to do this,
to test -- to make sure that if a whitelisted request
came through that all three of our shards were
activated or basically asked to approve of it because
our three shards were still part of that quorum at
the time.
11:39
11:39
Q.
Did you have any insight as to how the
other shards were being exercised?
A.
No.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 8 11:
11:
Q.
So how were you able to get comfort with
that test if you didn't know what the other shards
were doing?
A.
This goes back to -- from the way this is
done the cold wallets can't transfer to any wallet
unless it is been whitelisted or it is whitelisted,
And so it was my understanding that the current
whitelisted addresses were all Bam wallets.
Q.
How did you develop that understanding?
11:40
A.
So I asked our data team to pull a report
11:
of all of our existing cold wallets and their
existing whitelisted addresses and then a step
further to ask for report of all on-chain
transactions out of our cold wallets to ensure that
they were only going to the whitelisted addresses.
11:40
So if we saw any transactions going from a
cold wallet to a non-whitelisted address, it would
have raised a flag for us in that report.
11:40
Q.
Could there have been an instance when
there could have been a cold wallet transfer within
the exchange that wouldn't have been documented
on-chain?
11:41
A.
Not that I'm -- no.
11:41
Q.
Okay.
11:41
A.
All cold wallet transfers are on-chain.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 9 11:
11:
that the transfers from cold wallets can only go to
whitelisted wallets?
A.
So those controls sit in the back of the
BHL, which is why we did the -- the few times we ran
that report to see what transactions, if any, were
going to non-whitelisted wallets.
Q.
Okay.
So you -- sitting here today, do
you know whether there are controls in place that
require -- that transfer some cold wallets that can
only go to whitelisted wallets?
11:42
MR. CANELLOS:
11:42
MS. FARER:
11:42
BY MS. FARER:
11:42
11:42
Q.
Today now we're talking?
Or at any point in time.
It's our understanding -- correct me if
I'm wrong -- that has not changed?
A.
Right.
I have not seen any documentation
aside from what was covered in the SOC 2 or ISO.
11:43
MR. BEVILLE:
And are you asking about
documentation or are you asking about controls
including software controls?
11:43
MS. FARER:
parts.
11:43 11:43
I'm asking essentially two
BY MS. FARER:
Q.
Are there controls to ensure that that --
that it is the case that the cold wallet transfers
GRADILLAS COURT REPORTERS
(424) 239-2800Page 10
can only go to whitelisted wallets?
controls in place for that?
Are there
11:
A.
It's my understanding there are.
11:
Q.
And what is the basis for that
11:
11:
11:43
understanding?
A.
The conversations I've had with BHL and
the third-party assessments I've seen.
Q.
And then to the second part, is there
documentation of that control?
A.
Well, I don't know if it speaks
specifically to the whitelisting.
questionnaire we've provided to them, they have the
ability to answer about controls.
in there, but that would be the extent of any
documentation we have.
11:43
Q.
Okay.
That custody
It may have been
So aside from information provided
in a questionnaire potentially and speaking to
someone, you have no confirmation that there is this
control in place?
11:44 11:44
11:44
A.
Correct.
MR. CANELLOS:
interrupting.
Jennifer, forgive me for
Just one quick -- one thing.
Maybe you could ask a little bit more
about whitelisting because -- so, as I understand it,
whitelisted -- what whitelisting means Bam has to
GRADILLAS COURT REPORTERS
(424) 239-2800Page 11 13:
13:
understand it.
better understanding.
So I just want to -- I want to get a
So the root account is like the holder of
this environment.
So they have like overarching
rights.
server or software or something hosted or housed in
this environment that they wouldn't have rights or
access to it?
A.
So how is it the case that if there's a
So I'll give you two examples.
We'll do
the server example first.
server within AWS on their --
of it, to give you an example.
built by a local administrative account within the
server itself, and that is where the authentication
for access to that server lives.
the bigger AWS environment.
that server.
13:12
Q.
That server is being
It doesn't live in
It's local to that --
was granted by the root account, though, right?
A.
Correct.
13:12
Q.
Okay.
13:12
is the name
But for that administrative account, that
13:12
So if -- if I built a
So the root account still has
control over that administrative account?
A.
Right.
So that root account could delete
that administrator account, if you will, or change
its password or, you know, disable it.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 12 13:
Q.
Or change its administrative rights?
13:
A.
It could change the administrative rights,
13:
but that still wouldn't change the local
authentication within the server itself.
So the most that you would be able to do
-- the most that the root account could do is -- to
that server would be to stop the server or delete it
altogether, delete the administrative role or user
that created the server itself, or just basically
disable the server for some time or move it -- you
know, make some external configurations.
13:13
But whatever is inside that server,
whatever data is inside that is going to be limited
to any user accounts set up within the server itself.
So it's own -- it's its own environment inside the
server.
13:13
Now, you could configure -- right, if the
administrator went as far as to configure the system
to allow authentication from AWS, but that's not
really common practice.
13:13
Q.
Just explain what you mean by that last
part, that it -- an administrator could allow
authentication by AWS.
13:14
A.
So you could say -- you could tell a
server -- and it would depend on the type of server
GRADILLAS COURT REPORTERS
(424) 239-2800Page 13 13:
13:
on the operating system.
local authentication for the system, but use an
external authentication like database, which users
and permissions are allowed.
You could say don't use my
You could set that up to another system or
service within AWS.
inherently give root any access to what's inside
those systems or servers.
13:14
13:14
13:14
Q.
But, again, that still doesn't
So if it was set up to authenticate to
AWS, though, wouldn't the root have some kind of -A.
That would -- someone would have to go
through and actually configure that, though.
Q.
Okay.
What is the configuration for the
.US AWS?
A.
Our configuration is that the root account
was only set up to create the first couple of
administrative accounts within AWS and set, you know,
just kind of a global security policy requiring a
13:15
13:15
(Whereupon, Madam Reporter asked for
clarification from the witness.)
A.
13:15
BY MS. FARER:
13:15
Q.
13:15
A.
And what's that?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 14 14:
Q.
-- for the license software for the
wallets.
How is it the case that Block Technologies
is providing the wallet software?
14:
A.
I wouldn't say that they are.
14:
Q.
So who do you think is providing the
wallet software?
14:
A.
Binance Holdings Limited, BHL.
14:
Q.
Have you heard of an entity called CEFFU?
14:
A.
Yes.
14:05
Q.
How does CEFFU relate to the wallet
14:06
software?
A.
So I was under the impression -- and
through conversations with
you know, in one of our conversations it came up that
they were going to -- when I say they, BHL was going
to sell their wallet services to the more general
public.
14:06
Q.
Okay.
14:06
A.
Probably right near the start of this year
of 2023.
and in no other way --
When did this conversation occur?
Maybe the end of 2022.
14:06
Q.
Okay.
14:06
A.
And so --
14:06
Q.
And so wait.
So by that point in time
it's your understanding that Binance Holdings was
providing the wallet software?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 15 14:
14:
A.
Yes, and it's my understanding now that
that has never changed.
It's always been BHL
providing our software.
What I have been confused
about through conversations is, what's it called?
Like what is the name of it?
And so that is where some of these -- the
name CEFFU came out, Block, and just general
misunderstandings of conversations about the name of
the service and just some loose plans that -- what
Binance was planning to do as far as sell their
wallet services to the more general public.
14:07
So that's where the CEFFU name started
coming up in our -- you know, in our reports and in
our internal communications as the way I was
referring to it, because for a time I -- I hadn't
misunderstood this.
14:07
But I understood that basically BHL was
becoming CEFFU and they were going to, you know,
start offering wallet services to -- to, again, the
world, you know, to offer this as -- and have a
customer base and all of that --
14:07
14:07
(Whereupon, Madam Reporter asked for
clarification from the witness.)
A.
To the world, just as an offering for
custody services or wallet services -- wallet
GRADILLAS COURT REPORTERS
(424) 239-2800Page 16 14:
14:
14:
BY MS. FARER:
Q.
Okay.
We're going to break this down.
in early 2023 you have this conversation with
is the Binance
14:
technology services.
14:08
14:08
So
who
A.
For the wallet services, right.
For BHL,
Q.
And at that point in time Binance Holdings
yes.
was providing the wallet software?
A.
Yes.
And to clarify, they've always
provided it.
Q.
Right.
I'm just trying to see how this
evolves.
14:08
A.
Yeah.
14:08
Q.
And this is the wallet software that we
were talking about previously that sits in this
Binance environment, ties to the TSS, that software?
14:08
A.
Correct.
14:08
Q.
And so
14:08
A.
So he just mentioned, you know, we were
tells you in 2023 what again?
going to start selling wallet services as a service,
as a product.
I -- you know, is it CEFFU?
relating (sic) to our wallet services -- our wallet
solution as CEFFU?
And so I said great.
You know, so do
You know, do I start
And it was my understanding -GRADILLAS COURT REPORTERS
(424) 239-2800Page 17 14:
Q.
How did the name CEFFU come about?
14:
A.
I don't know who -- I don't know who made
that name up.
Q.
14:
14:
No, but I mean in terms of like not how
they named it CEFFU, but like how does the
organization that is CEFFU come into the picture?
A.
So it was my understanding -- at that time
it was my understanding that BHL was going to spin
off a new business arm or branch based on their
wallet services technology and call it CEFFU.
14:09
Q.
Okay.
And so when we see references
throughout documents which we'll show you that say
CEFFU is the wallet -- the wallet software provider
for Binance.US, is that not accurate?
14:09
A.
It's not accurate.
14:09
Q.
And we just had a very extensive day
It should say BHL.
yesterday with an auditor where there was a
discussion about CEFFU being the wallet service
provider.
14:09
A.
Yeah, because that was around the time
that
know, and I clarified.
about this, you know -- because I was aware.
14:10
and I had -- we had this conversation.
You
I said, you know, as we talk
I mean, I -- you know, it's challenges of
information that I felt I needed, again, just as I
GRADILLAS COURT REPORTERS
(424) 239-2800Page 18 14:
matured in the role and us as a company having audits
and being able to answer questions and having
third-party reports.
Just being able to reference the wallet
software, it made it sound like -- I got the
impression that we should be calling it CEFFU.
you know,
know where he got the indication or inclination, but
I took that as a lead to just start calling it CEFFU
14:10
But,
I -- you know, I don't
from our perspective.
Q.
And you're saying that the offering that
was being discussed with
, that was going to be
Binance taking its product commercial?
14:10
A.
Right.
14:10
Q.
That was going to be CEFFU?
14:10
A.
Right, but it was also, again, within my
understanding that we would -- like our solution
would have also -- would have been under that CEFFU
business arm.
14:11
Q.
14:11
14:11
Such that this new entity, CEFFU -MR. CANELLOS:
Well, it could be a branch,
you said, right?
A.
Branch, yeah.
I mean, there was no --
there was very -- almost -- there was very little
discussion as to the business or the reasoning behind
GRADILLAS COURT REPORTERS
(424) 239-2800Page 19
any of this.
our custody software what -- you know, what's the
name of it?
14:
14:
14:
14:
BY MS. FARER:
Q.
A.
But I mean, new entity in the sense
No.
It was my understanding it was still
going to be a Binance entity -- sorry.
Q.
14:11
Okay.
of this is not Binance Holdings?
It was more of like as we referred to
Right.
(Simultaneously speaking addressed by
Madam Reporter.
14:11
BY MS. FARER:
14:11
Q.
So let me ask:
So Binance Holdings is a
company, and so I'm saying a separate entity in that
CEFFU is a separate company from Binance Holdings.
14:11
MR. CANELLOS:
14:11
MS. FARER:
14:11
MR. CANELLOS:
A.
14:12
That's my question.
Is CEFFU a separate company
I don't know.
BY MS. FARER:
14:12
14:12
Yes.
from Binance Holdings?
14:12
Are you asking that?
Q.
What is your understanding of what CEFFU
A.
Right now, I don't know what it is
is?
anymore.
It was my -- at that time it was my
GRADILLAS COURT REPORTERS
(424) 239-2800Page 20
understanding that it may become a branch of BHL
where they commercially sell their services, was my
understanding at that time.
CEFFU is.
Now I'm not sure what
Q.
referring to?
14:
A.
So early 20 -- earlier this year.
14:
Q.
And so why has your view changed that you
14:
14:12
And at that time what time were you
don't think you know what CEFFU is?
A.
Because I've since then directly asked
are we -- do we have a relationship with CEFFU, and
he said no.
14:12
Q.
So all of the materials including that
which was provided to auditors referencing CEFFU
being the wallet software provider is -- they are
inaccurate?
14:12
A.
14:13
14:13
The name is inaccurate.
MR. CANELLOS:
Well, how is the name
inaccurate?
A.
Instead of CEFFU, it should say BHL.
Nothing is -- the fundamental technology, people,
processes, everything that makes up the BHL wallet
services that we use has never change.
ever changed on that.
14:13
Nothing has
It was simply referring to it -- when I
GRADILLAS COURT REPORTERS
(424) 239-2800Page 21
talked to it (sic) with auditors or external parties
or even internally with folks, what do we call this
besides wallet software?
And that's where, you know,
was -- he said, well, we may be selling this
under -- we may be selling our wallet services under
the name CEFFU.
14:
14:
Q.
scratch that.
BY MS. FARER:
14:13
14:13
And so -- but at what point -- well,
Why did you then adopt that name in
describing Binance's -- Binance.US's wallet software?
A.
To me, it sounded like that's the way that
they were going to be branding their wallet software,
so I didn't see any reason why I don't start calling
it that.
14:14
Q.
So you understood it to be all one and the
same?
14:14
A.
Yes.
14:14
Q.
And are you now saying that that's not the
14:14
case?
A.
Yes -- well, no.
No.
I'm still saying I
believe -- I believe it's still all one and the same.
There was just a miscommunication about what they're
calling -- like that they're not -- CEFFU may very
well still go be a business line, for all I know.
I
GRADILLAS COURT REPORTERS
(424) 239-2800Page 22 14:
14:
don't know.
(Whereupon, Madam Reporter asked for
clarification from the witness.)
A.
new company.
we should have just always referenced it as the BHL
software, custody software.
14:
14:
Like a business branch.
I don't know.
BHL may start a
What I know now is that
BY MS. FARER:
Q.
And how did you develop this understanding
that you should have continued to just call it the
Binance software?
14:14
A.
After our discussion with
after this
came up recently.
14:14
Q.
So a subsequent conversation with
14:14
A.
Yes.
14:14
Q.
When was this?
14:15
A.
Two weeks ago.
14:15
Q.
Tell me about that conversation.
14:15
A.
I just -- I literally asked
and said
do we have a relationship with CEFFU?
who is our wallet security -- our wallet service
provider?
look at the name on the licensing agreement.
14:15
Q.
He says no, it's not CEFFU.
Who is our --
And he said
Have you informed your auditors that the
wallet service provider -- wallet license -- or
GRADILLAS COURT REPORTERS
(424) 239-2800Page 23 14:
14:
MR. BEVILLE:
MS. FARER:
Can we go off the record,
please?
I think that we could
clarify this very quickly with one or two questions.
14:
not ask questions while we're working through this.
THE VIDEOGRAPHER:
The time is 2:19.
are now off the record.
14:
(A break was taken.)
14:
THE VIDEOGRAPHER:
The time is 2:40 p.m.
We are now on the record.
14:40 14:40
We
BY MS. FARER:
Q.
Okay.
Thank you for your patience and
letting the lawyers do their thing.
14:40
Just so the record is clear because I know
there was a little bit of back-and-forth.
And so
your understanding is that the wallet custody
solution that .Binance.US uses is that which is
licensed by Binance.com; is that right?
14:41
A.
So Binance.US licenses BHL's software.
14:41
Q.
Okay.
14:41
A.
I thought you said -- it sounded like you
14:41
14:41
Is that different than what I said?
said we use software that's licensed by .com.
Q.
Okay.
So -- thank you for clarifying if
that's what I said.
So Binance.US licenses the software from
GRADILLAS COURT REPORTERS
(424) 239-2800Page 24
Binance.com, and it's your understanding that that
relationship has not changed?
14:
A.
Correct.
14:
Q.
Is there anything about the technology and
services relating to the wallet custody software
provided by .com that has changed during your tenure
at Binance.US?
14:
A.
No.
14:
Q.
I'm going to -- let's turn to some
documents.
14:42
MS. FARER:
I am going to show you what
was premarked yesterday as Exhibit 61.
14:42
BY MS. FARER:
14:43
Q.
Do you recognize this document?
14:43
A.
Yes.
14:43
Q.
Is this the declaration that you submitted
in support of the Bam entities opposition to the
SEC's motion for a temporary restraining order?
14:43
A.
Yes.
14:43
Q.
So I think what I want to do with this
document just to ground you is -- I think this will
help ground our conversation about some of the
software and wallets that we've been talking about
just so we can get to some of the details and with a
little bit more specificity -GRADILLAS COURT REPORTERS
(424) 239-2800Page 25 14:
programs -- those -- those -- those front ends and
controlling basically the keys to the keys would fall
-- yeah, that's part of us -- us securing the assets.
Q.
Okay.
But let's break that down.
So what
is Binance's role then with respect to security of
the keys?
14:
A.
BHL.
14:
Q.
Binance.com, BHL, yes.
14:
A.
So their aspect is to securely store and
14:48
14:48
14:48
safeguard our private keys.
Q.
And what involvement do you have in that
process?
A.
I am not involved in how they build their
infrastructure and manage their infrastructure.
Q.
And when you say "not involved," to what
extent do you have any insight into how Binance
securely stores and safeguards Binance.US's private
keys?
14:49
A.
This would go back to our third-party
diligence processes.
So, again, the security
questionnaires, the relationship -- building
relationship with the security folks, asking for the
third-party audits, but doing that on an annual basis
or some periodic basis.
one-time thing.
It's not a one and --
GRADILLAS COURT REPORTERS
(424) 239-2800Page 26 14:
14:
Q.
Okay.
But I think as we talked about
earlier you don't have a means to verify the
information provided by Binance.com with respect to
storing and safeguarding the private keys?
A.
To an extent, right, that is part of our
job is to test to make sure that the solution is
acting or behaving as we're told.
mentioned the internal testing we were doing.
there's wallet-based controls we could test, we would
I think I
If
test those as well.
no way for me to verify what they're telling me.
14:50
Q.
But outside of that, no, there's
All right.
the declaration.
background on crypto.
14:50
So let's start walking through
We can skip over sort of the
I'd like to start at Section 2 where it
says the Bam Trading on page 9 with 26b.
14:50
A.
Okay.
14:50
Q.
And so it says:
"Because Bam Trading
holds customer assets on an omnibus basis,
transactions on the platform are recorded on" --
14:50
14:50
(Whereupon, Madam Reporter asked for
clarification from Counsel.)
A.
14:50 14:50
I'm sorry.
You said 27 on page 9?
BY MS. FARER:
Q.
26b.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 27 15:
specifics at all.
Q.
So help me understand then -- so PNK has a
number of controls -- which, again, I know are listed
here and we'll get through it -- that Binance.US has
implemented through the PNK software to coordinate
certain transfers of funds through the hot wallets;
is that right?
15:
A.
Can you repeat the question?
15:
Q.
Binance.US -- well, there are controls in
the PNK system that manage the movement of funds
through the hot wallets; is that right?
example, like there's like a threshold by which if
that threshold is reached the way it's described, is
there like an automatic transfer to the cold wallets?
So, for
15:08
A.
Right.
15:08
Q.
And that's something that's built into the
PNK system?
15:08
A.
Correct.
15:08
Q.
And so how is it that the -- I'm just
trying to understand the technology.
How is it that
these -- you know, these wallets are sitting in this
environment AWS that -- there are keys that govern
these wallets, but then there's like an overlaying
software that manages transfers.
work?
Like, how does this
GRADILLAS COURT REPORTERS
(424) 239-2800Page 28 15:
15:
A.
Yeah.
I don't -- so -- so it's my
understanding that PNK -- I talked about doing that
network capture where we look at the traffic on the
-- right.
15:10
And so PNK I guess is just kind of -- I
look at it as the front end of the wallet service --
the wallet software.
end works and exactly what services are talking to
which, I just don't know.
15:10
And, again, asking how the back
But this is why our testing -- internal
testing was done quite a bit around trying to abuse
PNK, trying to find vulnerabilities within the -- you
know, the code, doing these network captures just to
see is the traffic as expected.
knowledge would fall short.
15:10
But that's where our
And then these are why I was having
conversations, again, to get more comfortable or just
get familiarity.
-- of proprietary knowledge of those systems that I
shouldn't know as a customer and, you know, I respect
But, again, there is a level that
GRADILLAS COURT REPORTERS
(424) 239-2800Page 29 15:
15:
that of any custodial solution.
works on the back end, I just couldn't tell you.
So your view is that this wallet software
license that you have is a custody solution similar
to BitGo and Aegis?
15:
Q.
So, again, how it
A.
Yeah.
I look at those as -- yes, tools to
control the assets -- control our assets.
Q.
Okay.
And so similar to a third-party
custodian like BitGo and Aegis that has -- you know,
manages and secures the keys, your view is that
Binance.com does that for Binance.US?
15:11
MR. BEVILLE:
Objection to the extent it
characterizes BitGo and Aegis differently than what
Erik has done.
15:11
BY MS. FARER:
15:11
Q.
You can answer.
15:12
A.
So -- so yes.
So BitGo, Aegis, and BHL
are all just tools for us to custody our assets.
looked at them as tools and how we do that.
each one does it a little differently based on their
technology and their methods.
15:12
I
Now,
But the way we approach the risks and how
we approach securing those is, again, looking at them
in the same lens of, is this a tool?
all through the same diligence for that reason, so
And we put them
GRADILLAS COURT REPORTERS
(424) 239-2800Page 30 16:
16:
regrouping is complete to make sure that that shard
is not showing up on the other shards as a -- as a --
you know, an approved voting shard, right.
just be removed from that group all together.
Q.
It would
And who ensures that that is the case?
in the example you gave, right, if somebody lost
their shard and -- like, let's walk through that
hypothetical.
So
For example, somebody loses their shard.
What is the protocol for what occurs when a shard is
lost?
16:17
A.
So to clarify, this is something we're
building out currently with the custody oversight
team.
the TSS portal and that control, our proposed process
will be to run through that exercise of
decommissioning through the current shards and then
readding a new shard, if needed, and depending on the
situation.
16:18
As now that we now -- recently have access to
But then we would conduct all of our
normal functions.
whitelist and see what happens in the voting, right?
That's how we would confirm and do some control
testing within our environment.
16:18
We would -- we would try to
At the same time, we would be working and
GRADILLAS COURT REPORTERS
(424) 239-2800Page 31 16:
16:
asking BHL for any validation they could provide us,
whether they can just give us some verbal or written
validation that, yes, we see that you have X amount
of shards now; we see the activity of you dropping
the shards.
We would ask them maybe not for the logs
themselves, but for some sort of validating that they
see on the back end that that happened.
Q.
And if that wasn't occurring, could you
say to BHL decommission the shard?
on the back end?
16:18
A.
Could they do it
As far as I understand, no.
I was told
that only our shards can do that, only the actual
shards can do that.
would help support us through and we would work
together to figure out what the problem was.
16:19
Q.
Okay.
So I'm sure we would -- they
So you said that that's currently
in process of development.
of what occurs when you need to decommission a shard?
16:19
A.
What is the current state
So right now we would follow that exact
process.
haven't run -- been able to run through any kind of
testing yet.
16:19
Q.
We just don't have it formalized and
Okay.
So just so I understand, so when it
went from nine to seven, did this process that you
GRADILLAS COURT REPORTERS
(424) 239-2800Page 32 16:
16:
16:
just described occur to decommission the shards?
A.
I could -- I would -- I have -- I did not
see it, but I -- I -- I don't know.
understanding, is that this is -- this is the only
way that this TSS implementation works.
Q.
But that's my
So how do you have comfort that one of the
decommissioned shards can no longer -- it have like a
voting right or be signing on the transactions?
A.
So, again, we would go off of what we're
seeing on every shard, like making sure that only the
shards that we think are in existence are existence
(sic).
16:20
We've done personal validation
verification, and without any reason to believe that
what we're -- without any reason to believe that
something else is going on and that we're not seeing
something -- you know, we're going off of what we've
seen on -- on those actual devices -- on the actual
shards themselves.
16:20
Q.
device.
needs to happen with a TSS protocol there has to be
some voting that occurs among the shard holders,
So your confirmation is that you have the
When there is any type of activity that
GRADILLAS COURT REPORTERS
(424) 239-2800Page 33
whether it be the full quorum, the four, like
whatever the case may be, depending on the activity.
16:
16:
Q.
So there's no way that unless it's shown
on the screen that anyone else who may have had a
prior shard, copy of a shard -- well, strike that.
16:21 16:21
16:21
16:21
Can someone make a copy of a shard?
A.
To my understanding, no.
It's not
possible.
Q.
And what's the basis of that
understanding?
A.
Part of that is the TSS fundamental --
there's no copy of a shard.
If the shard is part of
the group, then it's got its -- then it's -- it
becomes part of the pool.
16:22
The system -- TSS functionality wouldn't
know what to do if it saw a duplicate -- like if it
saw the encryption algorithm for shard A.
if that exact copy came across, TSS wouldn't know
what to do with it.
properties.
said --
And then
So there's the fundamental TSS
But outside of that -- I mean, like I
GRADILLAS COURT REPORTERS
(424) 239-2800Page 34 16:
Q.
Well, would it --
16:
A.
-- we're going off of what we see in the
16:
shard -- what we have in the actual -- at the shard
level and then, again, back tested.
monthly or periodically reports for ensuring all
TSS-related activity is -- is as expected on-chain.
Q.
Okay.
You know, we do
I'm going back to the copies.
So
if somebody was able to make a copy, if the original
shard just didn't participate in whatever the
requested activity was, couldn't it be the case that
you would just see the copy and nobody would know
that that was a copy?
16:23
A.
So now you're getting into theoreticals, I
think.
As a security professional, I can never say
that the risk of something happening is zero.
been around in this space too long to -- to say that.
16:23
I've
But, in my opinion, the amount of -- it's
just not plausible or realistic to think that that --
that that could be done, given what I know about TSS
and just PKI for -- private key infrastructure in
general.
16:23
Q.
And what about your knowledge gives you
that comfort?
16:23
A.
I mean, are you asking like --
16:23
Q.
Like break it down for us to why you think
GRADILLAS COURT REPORTERS
(424) 239-2800Page 35 16:
16:
implementation of the whitelisting system?
your understanding about how that configuration is
established?
A.
Are we talking about the shards or PN- --
the hot wallets?
or hot wallets?
Q.
What is
Are we talking about cold wallets
Any type of transfer that requires solely
going to a whitelisted wallet.
Like it was
represented to us that one of the controls in place
to protect against unauthorized transfers is that
certain wallets can only transfer to whitelisted
wallets.
16:52
16:52
So explain to us how that configuration is
built in to ensure that that is what occurs.
A.
So I can't speak to like the -- what --
how that functions on the back end, but when -- you
know, I've asked the -- previously we were doing some
of this assessment work.
16:52
And I've asked the clearing team to
purposely put in the wrong -- like a non-whitelisted
wallet address, and it just fails within the app.
doesn't go any further.
address.
16:52
Q.
Okay.
It
It just says not a valid
So you tested to ensure that the
transfer could only be made to a whitelisted wallet?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 36 16:
A.
Yes.
16:
Q.
And for the BitGo wallets, do the
16:
transfers only have to go to whitelisted wallets as
well?
A.
Yes.
Yes.
We treat all assets if it goes
cold, so the same principles apply.
we don't -- aside from maybe some testing wallets for
testing connectivity or some new network or token,
all wallets in BitGo need to have a whitelisting on
16:53
16:53
You have to --
them enabled.
Q.
And have you coordinated with BitGo to
ensure that that configuration is in place?
A.
I haven't felt the need that we needed to
coordinate with BitGo because we are the ones that
set those policies.
treasury folks will go in there and add the
whitelisting as needed.
actually hands-on pushing the buttons to whitelist
the addresses.
16:53
16:53
So, typically, the clearing or
So we are the ones that are
There's no need for BitGo to be involved
with that process.
Q.
But how then -- like what's the
enforceability of that mechanism for transfers from
BitGo wallets?
16:54
A.
So the same.
So they have two controls
GRADILLAS COURT REPORTERS
(424) 239-2800Page 37 17:
wallet is C3.
And then the next vertical line at the
bottom is C4.
Above that is C5.
And then if you go -- continue going up
and to the right it's 6, 7, 8, with C8 being the
farthest to the right.
Can you read that?
17:
A.
I think so, yeah.
17:
Q.
I can walk through it again.
17:
A.
Okay.
17:
Q.
That's no problem.
So for the C2 circles
that corresponds with the CUS-2 in the chart below.
And so where it says:
configured each asset listed on the Binance.US
platform to be held in each customers' deposit wallet
until a threshold is met," do you have any
documentation of that configuration?
17:48
17:48
A.
"Management has approved and
That should be in the digital asset
custody policy.
Q.
Okay.
So it's -- the policy is sort of
what it's supposed to be.
technical configuration I just want to confirm,
circling back to what we talked about earlier, that
-- if there would be any way to validate that
configuration technically?
17:48
A.
I mean, yeah.
But in terms of like
I mean, we could change the
value and then run the test to make sure that that is
GRADILLAS COURT REPORTERS
(424) 239-2800Page 38
automatically overflowing.
17:
Q.
It would be by testing to verify that?
17:
A.
Yes.
17:
Q.
Okay.
And so in the CUS -- the C4 four
lines down about unauthorized movement of customer
funds being the risk address and the control
describes the TSS configuration and at the end where
it says "approvers approve the transaction on a
timely basis," is that referring to the 30 minutes
that you talked about earlier?
17:49
A.
17:49
Q.
17:49 17:49
That's how I understand it, yes.
What is that?
A.
The private key authorization methodology
procedure?
17:50
Q.
Yes.
17:50
A.
And is that -- C7 as in -- where does that
17:50
fall on this diagram?
Q.
So that goes -- do you see the two green
circles at the top?
17:50
A.
The top, yes.
17:50
Q.
It's the one to the left.
17:50
A.
It's used for determining access to the
private keys to whitelist hot wallets.
I don't know
GRADILLAS COURT REPORTERS
(424) 239-2800Page 39 18:
-- they were just going to rebrand.
Q.
Okay.
And so the time period for that SOC
report as noted in the first bullet was August 1st,
2022 to October 30th, 2022.
18:
A.
Okay.
18:
Q.
Did you receive any other report for a
larger time period, a SOC 2 report for the CEFFU?
18:
A.
No.
18:
Q.
So how did you get comfort that the
This was the only SOC 2 report I saw.
controls in that report were sufficient given that it
was for such a short period of time?
18:30
A.
In my experience and in my opinion I don't
see anything wrong with the time given.
more important factor is that they did have an
external party come in and assess.
-- yeah.
18:30
I think the
There are types
I mean, just for the fact that they did
actually get a SOC 2 which is actually a snapshot
over a period of time, rather than a type 1 which is
a singular snapshot as of a certain date.
18:31
And so, you know, when I talked to
about that SOC 2 report, my -- I asked have there
been any significant changes from when the report was
-- or the assessment was conducted, and he said no.
So I left it at that.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 40 18:
18:
18:
Q.
So as it (sic) sits here today, you have
-- you don't have insight into the environment that
hosts the technology for the security of the
background -- of the back end.
You don't have a third-party assessment
that evaluates the security of CEFFU, and you've
replied upon a questionnaire prepared by Binance
regarding the information of security?
I'm just trying to get an understanding of
the different pieces of information that you're
looking at.
18:51
MR. BEVILLE:
So I'm going to object to
the extent that mischaracterizes some of what Erik
says.
18:51 18:51
But please answer.
A.
So Binance did not create our security
questionnaire.
Me and my team created the
questionnaire.
We took input from various custodial
solution partners as well -- Binance, you know, had
some chance to -- to overview that with us, but they
did not create that.
questionnaires.
18:51 18:51
That was ours.
That was Bam's
BY MS. FARER:
Q.
Sorry.
To clarify, their response to your
questionnaire?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 41 18:
18:
A.
Right.
So, yes.
So, additionally,
conversations that, you know -- again, once I was --
it was made clear that that was not our instance
(sic) of the technology, conversations led to, well,
what is different between what I see in the SOC
report and our -- and our implementation.
The answer was nothing is different.
So
we're taking that -- those conversations.
course, the subsequent conversations dive into more
detail specifics about that.
their word for it.
And of
It's not just take
18:52
As a security professional, I feel like I
know where certain topics need to be dug into versus
what -- what's -- what's realistic versus what's not.
18:52
And then, again, our internal control
systems and testing that we've done that we're able
to do, as well as the fact that we haven't found any
historical evidence of anything not functioning as we
were told, as we were presented.
18:52
Q.
Okay.
And who did you have those
conversations with about the difference between the
SOC 2 report and the solution you all have from
Binance.com?
18:53
A.
Again, that was
18:53
Q.
Okay.
I'm going to show you -GRADILLAS COURT REPORTERS
(424) 239-2800Page 42
time in taking it any further.
19:
19:
Q.
And why didn't you keep it?
19:
A.
I don't know.
19:
Q.
Who told you that the decision was not to
19:
BY MS. FARER:
That wasn't my decision.
keeps it?
A.
I don't remember who exactly.
It may have
been someone on our business development team when I
started asking to get a SOC report so I could start
diving in more to their -- to the setup and, you
know, doing our security diligence.
19:07
That's when I was told like they're not
really responsive and we're going to probably kill
the relationship with them anyways.
last we really dealt with Anchorage, that my security
team dealt with Anchorage.
And that was the
19:07
Q.
Did you ever receive the SOC report?
19:07
A.
No, that I remember.
19:07
Q.
Was the reason that you didn't go forward
19:07
because they wouldn't provide a SOC report?
A.
No, not to my knowledge.
My -- like I
said, by the time I was asking for the SOC report I
was told that we're not going to move forward with --
like keeping that relationship and the technology.
19:07
Q.
Okay.
Going down to BitGo, the last two
GRADILLAS COURT REPORTERS
(424) 239-2800Page 43 19:
19:
A.
That I -- I have no clue what they're
referring to there.
19:
infrastructure of the service"?
Q.
Okay.
Has anything been done to address
these deficiencies?
A.
So as I mentioned, you know, trying to
work with BHL to get a -- a -- some sort of security
assessment, SOC 2 would be ideal for our instance
specifically.
referring to.
19:21
Q.
Again, that's if that's what they're
Okay.
You can put that one to the side.
I'm going to show you what is being marked Exhibit
71.
19:21
(Exhibit Number 71 was marked for
identification and was attached to the deposition.)
19:21 19:21
BY MS. FARER:
Q.
And given the strange -- well, not
strange.
with the printing, this is a document that was
produced by either your counsel that was
characterized as a spreadsheet showing CEFFU's
answers to the custody solution provider security
questionnaire provided to CEFFU by Bam.
19:22
A.
But the way that the formatting came out
Got you.
This is a much better export
than what our third-party platform prints out, so
GRADILLAS COURT REPORTERS
(424) 239-2800Page 44
yeah.
19:
Q.
So this looks familiar to you?
19:
A.
Yes.
19:
This is the custodial security
questionnaire.
Q.
Okay.
So I just want to walk through some
of the points in this questionnaire.
So this is the
questionnaire that you referenced a couple of times
today?
A.
One of the questionnaires.
19:22
Q.
Oh, is there a different questionnaire?
19:22
A.
So there's also -- so for -- depending on
19:
Correct, yes.
-- you know, we assess -- when a new third party --
you know, I know we focused on our custodial partner.
But any third party that comes -- that we come in
contact with we do an initial assessment of, you
know, do they need connectivity.
19:23
It's up to the security team and first
response of our third-party risk manager to decide if
we need to send out a security -- we have a general
security -- cybersecurity due diligence questionnaire
regard- -- you know, that's, you know, just kind of a
standard almost if there's ever going to be any kind
of pertinent or sensitive data being shared or
information being shared.
19:23
And then this questionnaire was in
GRADILLAS COURT REPORTERS
(424) 239-2800Page 45 19:
19:
19:
addition to that, which is specific to custodial
standards and technology.
Q.
So -- but is there a -- that second
questionnaire that you're talking about, is there a
completed questionnaire by Binance.com?
A.
I would like to say yes, but I'd have to
go back to our -- I'll look at our third-party
management program if there is --
MS. FARER:
And, Counsel, for the
record, we would like that produced.
19:23
BY MS. FARER:
19:23
Okay.
Q.
Who completed Binance.com's response to
this questionnaire?
19:24
A.
I was given --
gave -- I said,
we
need this questionnaire for our third-party
diligence, and he gave me a name or an email.
would be in our third-party platform who did it.
don't have the name off the top of my head, though.
It was not
think, or someone else within BHL who had filled this
out.
19:24
19:24
Q.
It was someone on
It
I
team, I
When you said your third-party platform,
what are you talking about?
A.
So for third-party risk management we use
a platform called Whistic, W-H-I-S-T-I-C.
And it's
GRADILLAS COURT REPORTERS
(424) 239-2800Page 46
about?
19:
MR. BEVILLE:
19:
MS. FARER:
19:
MR. BEVILLE:
19:
BY MR. BEVILLE:
19:
Q.
The bottom of page 2.
Please note?
Please note.
And this reads:
"It should be noted that
while Binance.com changed the name of the services
for which they're (sic) offered, there is no change
to any of the service functionality and no material
impact to the services licensed by Binance.US.
19:50
A.
That's right.
19:50
Q.
Does this reflect that you informed the
auditors at FGMK that the change to CEFFU was a name
change?
19:50
A.
Yes.
19:50
Q.
And there was no material change to the
services received?
19:50
A.
Correct.
19:50
Q.
Okay.
There was also some discussion of
the BHL SOC 2 report?
19:51
A.
Yes.
19:51
Q.
I believe you testified that it was not
specific to your AWS environment?
19:51
A.
That's right.
19:51
Q.
But it was specific to the software used
GRADILLAS COURT REPORTERS
(424) 239-2800Page 47
in that environment?
19:
A.
Correct.
19:
Q.
Was that still valuable, from your
perspective, in assessing the security of the
product?
19:
19:
MR. BEVILLE:
19:
MR. BAKER:
No questions.
19:
MS. FARER:
I think as noted earlier we're
A.
Yes.
No further questions.
going to leave this open, and we note your objection
on the record to us leaving it open.
19:51
But for the reasons we've discussed that
we -- there's a number of outstanding requests both
before today but also that occurred during today with
outstanding information that was not produced to us
by the company, and that this witness would be the
person that would be able to provide us a significant
amount of additional information.
19:51
We didn't get to test him on these
documents.
19:51
We're going to leave it open.
MR. BEVILLE:
Again, we object.
We object
to that.
We don't think you have the right to keep
this open under the consent order or the Federal
Rules.
We will be getting you and meeting and conferring
You had quite a long time with Erik today.
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 1
PlainSite Cover Page
PDF Page 2
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 1 of 47
Declaration of Matthew
Beville Ex. D
PDF Page 3
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 2 of 47
EXHIBIT 7
PDF Page 4
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 3 of 47
1
UNITED STATES DISTRICT COURT
2
FOR THE DISTRICT OF COLUMBIA
3
4
5
6
7
8
9
10
11
SECURITIES AND EXCHANGE
COMMISSION,
)
)
)
Plaintiff,
)
)
v.
)
) Case No.
BINANCE HOLDINGS LIMITED, BAM ) 1:23-cv-01599-ABJ
TRADING SERVICES INC., BAM
)
MANAGEMENT US HOLDINGS, INC., )
AND CHANGPENG ZHAO,
)
)
Defendants.
)
______________________________)
12
13
14
VIDEOTAPED DEPOSITION OF ERIK KELLOGG
15
THURSDAY, AUGUST 24, 2023
16
9:50 A.M.
17
Washington, DC
18
19
20
21
22
23
24
25
REPORTED BY:
SHERRY L. BROOKS,
CERTIFIED LIVENOTE REPORTER
JOB NO. 230824SLB
1
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 5
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 4 of 47
11:25
1
A.
No.
11:25
2
Q.
What due diligence -- you mentioned the
3
11:25
4
11:25
5
11:25
diligence you did on them.
What diligence did you do?
A.
So that would have been -- that would have
6
been the asking to see third-party -- any -- whatever
7
third-party reports they are willing to provide us,
8
which is when they provided the ISO and SOC 2 report.
9
On top of that, we asked them to fill out
10
our own security due diligence questionnaire and then
11
a little bit later on we created a custody
12
solution-specific security questionnaire, which was
13
given and asked to be filled out for any current and
14
future custody solution providers.
11:26 15
Q.
And it's your understanding that the SOC 2
16
report that you received covered the solution that
17
Binance provided to Binance.US -- that Binance
18
Holdings provided to Binance.US?
11:26 19
A.
Yes.
11:26 20
Q.
And what was the date of that SOC 2
21
report?
11:26 22
A.
23
11:26 24
25
That's my understanding.
I don't recall.
It was -- it was -- I
don't recall.
Q.
What else did you do when you first
started to get an understanding and comfort about the
77
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 6
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 5 of 47
1
11:29
2
3
second.
THE VIDEOGRAPHER:
The time is 11:28 a.m.
We are now off the record.
11:29
4
(Discussion held off the record.)
11:30
5
THE VIDEOGRAPHER:
6
11:30
7
The time is 11:30 a.m.
We are now on the record.
MS. FARER:
Mr. Beville is going to ask a
8
clarifying question so that we're all on the same
9
page as to the testimony that you just provided.
11:30 10
11
MR. BEVILLE:
So, Erik, were you
describing a network tab?
11:30 12
THE WITNESS:
Yes.
11:30 13
MR. BEVILLE:
So were you describing
14
testing of the messages communicated across the
15
cables connecting the machines in your AWS
16
environment with the machines in the BHL AWS
17
environment?
11:30 18
THE WITNESS:
Yes.
11:30 19
MR. BEVILLE:
And so when you were
20
referring to auditing those messages, you were
21
capturing the actual electronic zeros and 1s moving
22
between the machines, decoding them, and confirming
23
they were as expected?
11:30 24
THE WITNESS:
11:30 25
MS. FARER:
Correct.
Thank you.
80
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 7
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 6 of 47
11:37
1
and his team decide what products or services we
2
built for customers.
3
Q.
is the only person that can
5
give you information about the changes in the key
6
shard protocol for Binance's cold wallets?
11:37
7
A.
Yeah, at that time.
11:37
8
Q.
Why was he the only person that had that
9
information?
11:37 10
A.
I don't know.
11:37 11
Q.
As the chief information security officer,
12
by that point you've been there almost -- you know,
13
at least six months.
14
your role that all of the assets and keys were secure
15
with so little insight about what was happening?
11:37 16
A.
How did you get comfortable in
I had no reason to believe otherwise at
17
that time.
And we have done -- we did do -- my team
18
did do some initial risk assessment on PNK being the
19
controlling factor, you know, the number of shards
20
needed to whitelist any wallet addresses to move
21
assets off of our platform.
11:38 22
Q.
What did you do to test that?
11:38 23
A.
I asked the clearing team to do a test for
24
me for the whitelisting just to see what that looked
25
like.
We did security testing for access controls
86
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 8
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 7 of 47
1
11:38
11:38
2
Q.
And when you said you asked the team to do
3
a test for whitelisting -- correct me if I'm wrong,
4
but -- are you asking -- are you saying to transfer
5
to a whitelisted wallet or are you saying to
6
establish a whitelisted wallet?
7
8
11:38
around PNK itself.
9
A.
No, just to establish a new whitelisted
address.
Q.
Isn't it the case that to establish a
10
whitelisted address you need a full quorum of the key
11
shards, meaning all of the keys need to vote to
12
agree?
11:39 13
A.
Correct.
11:39 14
Q.
So how is it that you are asking your team
15
to implement this test if some of the key shards are
16
held by Binance.com?
11:39 17
A.
So I asked the clearing team to do this,
18
to test -- to make sure that if a whitelisted request
19
came through that all three of our shards were
20
activated or basically asked to approve of it because
21
our three shards were still part of that quorum at
22
the time.
11:39 23
24
11:39 25
Q.
Did you have any insight as to how the
other shards were being exercised?
A.
No.
87
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 9
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 8 of 47
11:39
11:39
1
Q.
So how were you able to get comfort with
2
that test if you didn't know what the other shards
3
were doing?
4
A.
This goes back to -- from the way this is
5
done the cold wallets can't transfer to any wallet
6
unless it is been whitelisted or it is whitelisted,
7
And so it was my understanding that the current
8
whitelisted addresses were all Bam wallets.
9
Q.
How did you develop that understanding?
11:40 10
A.
So I asked our data team to pull a report
11:40
11
of all of our existing cold wallets and their
12
existing whitelisted addresses and then a step
13
further to ask for report of all on-chain
14
transactions out of our cold wallets to ensure that
15
they were only going to the whitelisted addresses.
11:40 16
So if we saw any transactions going from a
17
cold wallet to a non-whitelisted address, it would
18
have raised a flag for us in that report.
11:40 19
Q.
Could there have been an instance when
20
there could have been a cold wallet transfer within
21
the exchange that wouldn't have been documented
22
on-chain?
11:41 23
A.
Not that I'm -- no.
11:41 24
Q.
Okay.
11:41 25
A.
All cold wallet transfers are on-chain.
88
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 10
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 9 of 47
11:42
11:42
1
that the transfers from cold wallets can only go to
2
whitelisted wallets?
3
A.
So those controls sit in the back of the
4
BHL, which is why we did the -- the few times we ran
5
that report to see what transactions, if any, were
6
going to non-whitelisted wallets.
7
Q.
Okay.
So you -- sitting here today, do
8
you know whether there are controls in place that
9
require -- that transfer some cold wallets that can
10
only go to whitelisted wallets?
11:42 11
MR. CANELLOS:
11:42 12
MS. FARER:
11:42 13
BY MS. FARER:
11:42 14
15
11:42 16
17
Q.
Today now we're talking?
Or at any point in time.
It's our understanding -- correct me if
I'm wrong -- that has not changed?
A.
Right.
I have not seen any documentation
aside from what was covered in the SOC 2 or ISO.
11:43 18
MR. BEVILLE:
And are you asking about
19
documentation or are you asking about controls
20
including software controls?
11:43 21
22
MS. FARER:
parts.
11:43 23
11:43 24
25
I'm asking essentially two
BY MS. FARER:
Q.
Are there controls to ensure that that --
that it is the case that the cold wallet transfers
90
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 11
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 10 of 47
1
can only go to whitelisted wallets?
2
controls in place for that?
Are there
11:43
3
A.
It's my understanding there are.
11:43
4
Q.
And what is the basis for that
5
11:43
6
7
11:43
8
9
11:43 10
understanding?
A.
The conversations I've had with BHL and
the third-party assessments I've seen.
Q.
And then to the second part, is there
documentation of that control?
A.
Well, I don't know if it speaks
11
specifically to the whitelisting.
12
questionnaire we've provided to them, they have the
13
ability to answer about controls.
14
in there, but that would be the extent of any
15
documentation we have.
11:43 16
Q.
Okay.
That custody
It may have been
So aside from information provided
17
in a questionnaire potentially and speaking to
18
someone, you have no confirmation that there is this
19
control in place?
11:44 20
11:44 21
22
11:44 23
A.
Correct.
MR. CANELLOS:
interrupting.
Jennifer, forgive me for
Just one quick -- one thing.
Maybe you could ask a little bit more
24
about whitelisting because -- so, as I understand it,
25
whitelisted -- what whitelisting means Bam has to
91
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 12
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 11 of 47
13:11
13:11
1
understand it.
2
better understanding.
3
So I just want to -- I want to get a
So the root account is like the holder of
4
this environment.
So they have like overarching
5
rights.
6
server or software or something hosted or housed in
7
this environment that they wouldn't have rights or
8
access to it?
9
A.
So how is it the case that if there's a
So I'll give you two examples.
We'll do
10
the server example first.
11
server within AWS on their --
12
of it, to give you an example.
13
built by a local administrative account within the
14
server itself, and that is where the authentication
15
for access to that server lives.
16
the bigger AWS environment.
17
that server.
13:12 18
19
Q.
That server is being
It doesn't live in
It's local to that --
was granted by the root account, though, right?
A.
Correct.
13:12 21
Q.
Okay.
13:12 23
is the name
But for that administrative account, that
13:12 20
22
So if -- if I built a
So the root account still has
control over that administrative account?
A.
Right.
So that root account could delete
24
that administrator account, if you will, or change
25
its password or, you know, disable it.
127
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 13
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 12 of 47
13:12
1
Q.
Or change its administrative rights?
13:12
2
A.
It could change the administrative rights,
13:13
3
but that still wouldn't change the local
4
authentication within the server itself.
5
So the most that you would be able to do
6
-- the most that the root account could do is -- to
7
that server would be to stop the server or delete it
8
altogether, delete the administrative role or user
9
that created the server itself, or just basically
10
disable the server for some time or move it -- you
11
know, make some external configurations.
13:13 12
But whatever is inside that server,
13
whatever data is inside that is going to be limited
14
to any user accounts set up within the server itself.
15
So it's own -- it's its own environment inside the
16
server.
13:13 17
Now, you could configure -- right, if the
18
administrator went as far as to configure the system
19
to allow authentication from AWS, but that's not
20
really common practice.
13:13 21
Q.
Just explain what you mean by that last
22
part, that it -- an administrator could allow
23
authentication by AWS.
13:14 24
25
A.
So you could say -- you could tell a
server -- and it would depend on the type of server
128
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 14
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 13 of 47
13:14
13:14
1
on the operating system.
2
local authentication for the system, but use an
3
external authentication like database, which users
4
and permissions are allowed.
5
You could say don't use my
You could set that up to another system or
6
service within AWS.
7
inherently give root any access to what's inside
8
those systems or servers.
9
10
13:14 11
12
13:14 13
14
13:14 15
Q.
But, again, that still doesn't
So if it was set up to authenticate to
AWS, though, wouldn't the root have some kind of -A.
That would -- someone would have to go
through and actually configure that, though.
Q.
Okay.
What is the configuration for the
.US AWS?
A.
Our configuration is that the root account
16
was only set up to create the first couple of
17
administrative accounts within AWS and set, you know,
18
just kind of a global security policy requiring a
19
13:15 20
21
13:15 22
(Whereupon, Madam Reporter asked for
clarification from the witness.)
A.
13:15 23
BY MS. FARER:
13:15 24
Q.
13:15 25
A.
And what's that?
129
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 15
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 14 of 47
14:05
1
Q.
-- for the license software for the
2
wallets.
How is it the case that Block Technologies
3
is providing the wallet software?
14:05
4
A.
I wouldn't say that they are.
14:05
5
Q.
So who do you think is providing the
6
wallet software?
14:05
7
A.
Binance Holdings Limited, BHL.
14:05
8
Q.
Have you heard of an entity called CEFFU?
14:05
9
A.
Yes.
14:05 10
Q.
How does CEFFU relate to the wallet
11
14:06 12
software?
A.
So I was under the impression -- and
13
through conversations with
14
you know, in one of our conversations it came up that
15
they were going to -- when I say they, BHL was going
16
to sell their wallet services to the more general
17
public.
14:06 18
Q.
Okay.
14:06 19
A.
Probably right near the start of this year
20
of 2023.
and in no other way --
When did this conversation occur?
Maybe the end of 2022.
14:06 21
Q.
Okay.
14:06 22
A.
And so --
14:06 23
Q.
And so wait.
So by that point in time
24
it's your understanding that Binance Holdings was
25
providing the wallet software?
171
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 16
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 15 of 47
14:06
14:06
1
A.
Yes, and it's my understanding now that
2
that has never changed.
It's always been BHL
3
providing our software.
What I have been confused
4
about through conversations is, what's it called?
5
Like what is the name of it?
6
And so that is where some of these -- the
7
name CEFFU came out, Block, and just general
8
misunderstandings of conversations about the name of
9
the service and just some loose plans that -- what
10
Binance was planning to do as far as sell their
11
wallet services to the more general public.
14:07 12
So that's where the CEFFU name started
13
coming up in our -- you know, in our reports and in
14
our internal communications as the way I was
15
referring to it, because for a time I -- I hadn't
16
misunderstood this.
14:07 17
But I understood that basically BHL was
18
becoming CEFFU and they were going to, you know,
19
start offering wallet services to -- to, again, the
20
world, you know, to offer this as -- and have a
21
customer base and all of that --
14:07 22
23
14:07 24
25
(Whereupon, Madam Reporter asked for
clarification from the witness.)
A.
To the world, just as an offering for
custody services or wallet services -- wallet
172
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 17
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 16 of 47
1
14:07
2
14:07
3
14:08
BY MS. FARER:
Q.
Okay.
We're going to break this down.
4
in early 2023 you have this conversation with
5
is the Binance
6
7
14:08
technology services.
8
9
14:08 10
11
14:08 12
13
So
who
A.
For the wallet services, right.
For BHL,
Q.
And at that point in time Binance Holdings
yes.
was providing the wallet software?
A.
Yes.
And to clarify, they've always
provided it.
Q.
Right.
I'm just trying to see how this
evolves.
14:08 14
A.
Yeah.
14:08 15
Q.
And this is the wallet software that we
16
were talking about previously that sits in this
17
Binance environment, ties to the TSS, that software?
14:08 18
A.
Correct.
14:08 19
Q.
And so
14:08 20
A.
So he just mentioned, you know, we were
tells you in 2023 what again?
21
going to start selling wallet services as a service,
22
as a product.
23
I -- you know, is it CEFFU?
24
relating (sic) to our wallet services -- our wallet
25
solution as CEFFU?
And so I said great.
You know, so do
You know, do I start
And it was my understanding -173
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 18
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 17 of 47
14:08
1
Q.
How did the name CEFFU come about?
14:08
2
A.
I don't know who -- I don't know who made
3
that name up.
4
Q.
14:09
14:09
No, but I mean in terms of like not how
5
they named it CEFFU, but like how does the
6
organization that is CEFFU come into the picture?
7
A.
So it was my understanding -- at that time
8
it was my understanding that BHL was going to spin
9
off a new business arm or branch based on their
10
wallet services technology and call it CEFFU.
14:09 11
Q.
Okay.
And so when we see references
12
throughout documents which we'll show you that say
13
CEFFU is the wallet -- the wallet software provider
14
for Binance.US, is that not accurate?
14:09 15
A.
It's not accurate.
14:09 16
Q.
And we just had a very extensive day
It should say BHL.
17
yesterday with an auditor where there was a
18
discussion about CEFFU being the wallet service
19
provider.
14:09 20
A.
Yeah, because that was around the time
21
that
22
know, and I clarified.
23
about this, you know -- because I was aware.
14:10 24
25
and I had -- we had this conversation.
You
I said, you know, as we talk
I mean, I -- you know, it's challenges of
information that I felt I needed, again, just as I
174
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 19
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 18 of 47
14:10
1
matured in the role and us as a company having audits
2
and being able to answer questions and having
3
third-party reports.
4
Just being able to reference the wallet
5
software, it made it sound like -- I got the
6
impression that we should be calling it CEFFU.
7
you know,
8
know where he got the indication or inclination, but
9
I took that as a lead to just start calling it CEFFU
10
14:10 11
But,
I -- you know, I don't
from our perspective.
Q.
And you're saying that the offering that
12
was being discussed with
, that was going to be
13
Binance taking its product commercial?
14:10 14
A.
Right.
14:10 15
Q.
That was going to be CEFFU?
14:10 16
A.
Right, but it was also, again, within my
17
understanding that we would -- like our solution
18
would have also -- would have been under that CEFFU
19
business arm.
14:11 20
Q.
14:11 21
22
14:11 23
Such that this new entity, CEFFU -MR. CANELLOS:
Well, it could be a branch,
you said, right?
A.
Branch, yeah.
I mean, there was no --
24
there was very -- almost -- there was very little
25
discussion as to the business or the reasoning behind
175
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 20
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 19 of 47
1
any of this.
2
our custody software what -- you know, what's the
3
name of it?
14:11
4
14:11
5
6
14:11
14:11
BY MS. FARER:
Q.
A.
But I mean, new entity in the sense
No.
It was my understanding it was still
going to be a Binance entity -- sorry.
9
Q.
14:11 10
11
Okay.
of this is not Binance Holdings?
7
8
It was more of like as we referred to
Right.
(Simultaneously speaking addressed by
Madam Reporter.
14:11 12
BY MS. FARER:
14:11 13
Q.
So let me ask:
So Binance Holdings is a
14
company, and so I'm saying a separate entity in that
15
CEFFU is a separate company from Binance Holdings.
14:11 16
MR. CANELLOS:
14:11 17
MS. FARER:
14:11 18
MR. CANELLOS:
19
A.
14:12 21
25
That's my question.
Is CEFFU a separate company
I don't know.
BY MS. FARER:
14:12 22
14:12 24
Yes.
from Binance Holdings?
14:12 20
23
Are you asking that?
Q.
What is your understanding of what CEFFU
A.
Right now, I don't know what it is
is?
anymore.
It was my -- at that time it was my
176
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 21
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 20 of 47
1
understanding that it may become a branch of BHL
2
where they commercially sell their services, was my
3
understanding at that time.
4
CEFFU is.
Now I'm not sure what
5
Q.
6
referring to?
14:12
7
A.
So early 20 -- earlier this year.
14:12
8
Q.
And so why has your view changed that you
14:12
9
14:12 10
And at that time what time were you
don't think you know what CEFFU is?
A.
Because I've since then directly asked
11
are we -- do we have a relationship with CEFFU, and
12
he said no.
14:12 13
Q.
So all of the materials including that
14
which was provided to auditors referencing CEFFU
15
being the wallet software provider is -- they are
16
inaccurate?
14:12 17
A.
14:13 18
19
14:13 20
The name is inaccurate.
MR. CANELLOS:
Well, how is the name
inaccurate?
A.
Instead of CEFFU, it should say BHL.
21
Nothing is -- the fundamental technology, people,
22
processes, everything that makes up the BHL wallet
23
services that we use has never change.
24
ever changed on that.
14:13 25
Nothing has
It was simply referring to it -- when I
177
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 22
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 21 of 47
1
talked to it (sic) with auditors or external parties
2
or even internally with folks, what do we call this
3
besides wallet software?
And that's where, you know,
4
was -- he said, well, we may be selling this
5
under -- we may be selling our wallet services under
6
the name CEFFU.
14:13
7
14:13
8
Q.
9
scratch that.
BY MS. FARER:
14:13 10
11
14:13 12
And so -- but at what point -- well,
Why did you then adopt that name in
describing Binance's -- Binance.US's wallet software?
A.
To me, it sounded like that's the way that
13
they were going to be branding their wallet software,
14
so I didn't see any reason why I don't start calling
15
it that.
14:14 16
17
Q.
So you understood it to be all one and the
same?
14:14 18
A.
Yes.
14:14 19
Q.
And are you now saying that that's not the
20
14:14 21
case?
A.
Yes -- well, no.
No.
I'm still saying I
22
believe -- I believe it's still all one and the same.
23
There was just a miscommunication about what they're
24
calling -- like that they're not -- CEFFU may very
25
well still go be a business line, for all I know.
I
178
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 23
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 22 of 47
1
14:14
2
3
14:14
don't know.
(Whereupon, Madam Reporter asked for
clarification from the witness.)
4
A.
5
new company.
6
we should have just always referenced it as the BHL
7
software, custody software.
14:14
8
14:14
9
Like a business branch.
I don't know.
BHL may start a
What I know now is that
BY MS. FARER:
Q.
And how did you develop this understanding
10
that you should have continued to just call it the
11
Binance software?
14:14 12
13
A.
After our discussion with
after this
came up recently.
14:14 14
Q.
So a subsequent conversation with
14:14 15
A.
Yes.
14:14 16
Q.
When was this?
14:15 17
A.
Two weeks ago.
14:15 18
Q.
Tell me about that conversation.
14:15 19
A.
I just -- I literally asked
and said
20
do we have a relationship with CEFFU?
21
who is our wallet security -- our wallet service
22
provider?
23
look at the name on the licensing agreement.
14:15 24
25
Q.
He says no, it's not CEFFU.
Who is our --
And he said
Have you informed your auditors that the
wallet service provider -- wallet license -- or
179
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 24
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 23 of 47
1
14:19
2
3
14:19
MR. BEVILLE:
MS. FARER:
Can we go off the record,
please?
6
7
I think that we could
clarify this very quickly with one or two questions.
4
5
14:19
not ask questions while we're working through this.
THE VIDEOGRAPHER:
The time is 2:19.
are now off the record.
14:24
8
(A break was taken.)
14:40
9
THE VIDEOGRAPHER:
10
13
The time is 2:40 p.m.
We are now on the record.
14:40 11
14:40 12
We
BY MS. FARER:
Q.
Okay.
Thank you for your patience and
letting the lawyers do their thing.
14:40 14
Just so the record is clear because I know
15
there was a little bit of back-and-forth.
And so
16
your understanding is that the wallet custody
17
solution that .Binance.US uses is that which is
18
licensed by Binance.com; is that right?
14:41 19
A.
So Binance.US licenses BHL's software.
14:41 20
Q.
Okay.
14:41 21
A.
I thought you said -- it sounded like you
22
14:41 23
24
14:41 25
Is that different than what I said?
said we use software that's licensed by .com.
Q.
Okay.
So -- thank you for clarifying if
that's what I said.
So Binance.US licenses the software from
183
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 25
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 24 of 47
1
Binance.com, and it's your understanding that that
2
relationship has not changed?
14:41
3
A.
Correct.
14:41
4
Q.
Is there anything about the technology and
5
services relating to the wallet custody software
6
provided by .com that has changed during your tenure
7
at Binance.US?
14:42
8
A.
No.
14:42
9
Q.
I'm going to -- let's turn to some
10
documents.
14:42 11
12
MS. FARER:
I am going to show you what
was premarked yesterday as Exhibit 61.
14:42 13
BY MS. FARER:
14:43 14
Q.
Do you recognize this document?
14:43 15
A.
Yes.
14:43 16
Q.
Is this the declaration that you submitted
17
in support of the Bam entities opposition to the
18
SEC's motion for a temporary restraining order?
14:43 19
A.
Yes.
14:43 20
Q.
So I think what I want to do with this
21
document just to ground you is -- I think this will
22
help ground our conversation about some of the
23
software and wallets that we've been talking about
24
just so we can get to some of the details and with a
25
little bit more specificity -184
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 26
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 25 of 47
14:48
1
programs -- those -- those -- those front ends and
2
controlling basically the keys to the keys would fall
3
-- yeah, that's part of us -- us securing the assets.
4
Q.
Okay.
But let's break that down.
So what
5
is Binance's role then with respect to security of
6
the keys?
14:48
7
A.
BHL.
14:48
8
Q.
Binance.com, BHL, yes.
14:48
9
A.
So their aspect is to securely store and
10
14:48 11
12
14:48 13
14
14:48 15
safeguard our private keys.
Q.
And what involvement do you have in that
process?
A.
I am not involved in how they build their
infrastructure and manage their infrastructure.
Q.
And when you say "not involved," to what
16
extent do you have any insight into how Binance
17
securely stores and safeguards Binance.US's private
18
keys?
14:49 19
A.
This would go back to our third-party
20
diligence processes.
So, again, the security
21
questionnaires, the relationship -- building
22
relationship with the security folks, asking for the
23
third-party audits, but doing that on an annual basis
24
or some periodic basis.
25
one-time thing.
It's not a one and --
188
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 27
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 26 of 47
14:49
14:49
1
Q.
Okay.
But I think as we talked about
2
earlier you don't have a means to verify the
3
information provided by Binance.com with respect to
4
storing and safeguarding the private keys?
5
A.
To an extent, right, that is part of our
6
job is to test to make sure that the solution is
7
acting or behaving as we're told.
8
mentioned the internal testing we were doing.
9
there's wallet-based controls we could test, we would
I think I
If
10
test those as well.
11
no way for me to verify what they're telling me.
14:50 12
Q.
But outside of that, no, there's
All right.
13
the declaration.
14
background on crypto.
14:50 15
16
So let's start walking through
We can skip over sort of the
I'd like to start at Section 2 where it
says the Bam Trading on page 9 with 26b.
14:50 17
A.
Okay.
14:50 18
Q.
And so it says:
"Because Bam Trading
19
holds customer assets on an omnibus basis,
20
transactions on the platform are recorded on" --
14:50 21
22
14:50 23
(Whereupon, Madam Reporter asked for
clarification from Counsel.)
A.
14:50 24
14:50 25
I'm sorry.
You said 27 on page 9?
BY MS. FARER:
Q.
26b.
189
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 28
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 27 of 47
1
15:08
2
specifics at all.
Q.
So help me understand then -- so PNK has a
3
number of controls -- which, again, I know are listed
4
here and we'll get through it -- that Binance.US has
5
implemented through the PNK software to coordinate
6
certain transfers of funds through the hot wallets;
7
is that right?
15:08
8
A.
Can you repeat the question?
15:08
9
Q.
Binance.US -- well, there are controls in
10
the PNK system that manage the movement of funds
11
through the hot wallets; is that right?
12
example, like there's like a threshold by which if
13
that threshold is reached the way it's described, is
14
there like an automatic transfer to the cold wallets?
So, for
15:08 15
A.
Right.
15:08 16
Q.
And that's something that's built into the
17
PNK system?
15:08 18
A.
Correct.
15:08 19
Q.
And so how is it that the -- I'm just
20
trying to understand the technology.
How is it that
21
these -- you know, these wallets are sitting in this
22
environment AWS that -- there are keys that govern
23
these wallets, but then there's like an overlaying
24
software that manages transfers.
25
work?
Like, how does this
202
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 29
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 28 of 47
15:09
15:09
1
A.
Yeah.
I don't -- so -- so it's my
2
understanding that PNK -- I talked about doing that
3
network capture where we look at the traffic on the
4
-- right.
5
15:10 10
And so PNK I guess is just kind of -- I
11
look at it as the front end of the wallet service --
12
the wallet software.
13
end works and exactly what services are talking to
14
which, I just don't know.
15:10 15
And, again, asking how the back
But this is why our testing -- internal
16
testing was done quite a bit around trying to abuse
17
PNK, trying to find vulnerabilities within the -- you
18
know, the code, doing these network captures just to
19
see is the traffic as expected.
20
knowledge would fall short.
15:10 21
But that's where our
And then these are why I was having
22
conversations, again, to get more comfortable or just
23
get familiarity.
24
-- of proprietary knowledge of those systems that I
25
shouldn't know as a customer and, you know, I respect
But, again, there is a level that
203
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 30
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 29 of 47
15:11
15:11
1
that of any custodial solution.
2
works on the back end, I just couldn't tell you.
3
So your view is that this wallet software
4
license that you have is a custody solution similar
5
to BitGo and Aegis?
6
7
15:11
Q.
So, again, how it
8
9
A.
Yeah.
I look at those as -- yes, tools to
control the assets -- control our assets.
Q.
Okay.
And so similar to a third-party
custodian like BitGo and Aegis that has -- you know,
10
manages and secures the keys, your view is that
11
Binance.com does that for Binance.US?
15:11 12
MR. BEVILLE:
Objection to the extent it
13
characterizes BitGo and Aegis differently than what
14
Erik has done.
15:11 15
BY MS. FARER:
15:11 16
Q.
You can answer.
15:12 17
A.
So -- so yes.
So BitGo, Aegis, and BHL
18
are all just tools for us to custody our assets.
19
looked at them as tools and how we do that.
20
each one does it a little differently based on their
21
technology and their methods.
15:12 22
I
Now,
But the way we approach the risks and how
23
we approach securing those is, again, looking at them
24
in the same lens of, is this a tool?
25
all through the same diligence for that reason, so
And we put them
204
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 31
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 30 of 47
16:17
16:17
1
regrouping is complete to make sure that that shard
2
is not showing up on the other shards as a -- as a --
3
you know, an approved voting shard, right.
4
just be removed from that group all together.
5
Q.
It would
And who ensures that that is the case?
6
in the example you gave, right, if somebody lost
7
their shard and -- like, let's walk through that
8
hypothetical.
9
So
For example, somebody loses their shard.
10
What is the protocol for what occurs when a shard is
11
lost?
16:17 12
A.
So to clarify, this is something we're
13
building out currently with the custody oversight
14
team.
15
the TSS portal and that control, our proposed process
16
will be to run through that exercise of
17
decommissioning through the current shards and then
18
readding a new shard, if needed, and depending on the
19
situation.
16:18 20
As now that we now -- recently have access to
But then we would conduct all of our
21
normal functions.
22
whitelist and see what happens in the voting, right?
23
That's how we would confirm and do some control
24
testing within our environment.
16:18 25
We would -- we would try to
At the same time, we would be working and
240
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 32
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 31 of 47
16:18
16:18
1
asking BHL for any validation they could provide us,
2
whether they can just give us some verbal or written
3
validation that, yes, we see that you have X amount
4
of shards now; we see the activity of you dropping
5
the shards.
6
We would ask them maybe not for the logs
7
themselves, but for some sort of validating that they
8
see on the back end that that happened.
9
Q.
And if that wasn't occurring, could you
10
say to BHL decommission the shard?
11
on the back end?
16:18 12
A.
Could they do it
As far as I understand, no.
I was told
13
that only our shards can do that, only the actual
14
shards can do that.
15
would help support us through and we would work
16
together to figure out what the problem was.
16:19 17
Q.
Okay.
So I'm sure we would -- they
So you said that that's currently
18
in process of development.
19
of what occurs when you need to decommission a shard?
16:19 20
A.
What is the current state
So right now we would follow that exact
21
process.
22
haven't run -- been able to run through any kind of
23
testing yet.
16:19 24
25
Q.
We just don't have it formalized and
Okay.
So just so I understand, so when it
went from nine to seven, did this process that you
241
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 33
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 32 of 47
1
16:19
16:19
16:20
2
just described occur to decommission the shards?
A.
I could -- I would -- I have -- I did not
3
see it, but I -- I -- I don't know.
4
understanding, is that this is -- this is the only
5
way that this TSS implementation works.
6
Q.
But that's my
So how do you have comfort that one of the
7
decommissioned shards can no longer -- it have like a
8
voting right or be signing on the transactions?
9
A.
So, again, we would go off of what we're
10
seeing on every shard, like making sure that only the
11
shards that we think are in existence are existence
12
(sic).
16:20 15
We've done personal validation
16
verification, and without any reason to believe that
17
what we're -- without any reason to believe that
18
something else is going on and that we're not seeing
19
something -- you know, we're going off of what we've
20
seen on -- on those actual devices -- on the actual
21
shards themselves.
16:20 22
Q.
23
device.
24
needs to happen with a TSS protocol there has to be
25
some voting that occurs among the shard holders,
So your confirmation is that you have the
When there is any type of activity that
242
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 34
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 33 of 47
1
whether it be the full quorum, the four, like
2
whatever the case may be, depending on the activity.
16:21
3
16:21
7
Q.
So there's no way that unless it's shown
8
on the screen that anyone else who may have had a
9
prior shard, copy of a shard -- well, strike that.
16:21 10
16:21 11
12
16:21 13
14
16:21 15
Can someone make a copy of a shard?
A.
To my understanding, no.
It's not
possible.
Q.
And what's the basis of that
understanding?
A.
Part of that is the TSS fundamental --
16
there's no copy of a shard.
If the shard is part of
17
the group, then it's got its -- then it's -- it
18
becomes part of the pool.
16:22 19
The system -- TSS functionality wouldn't
20
know what to do if it saw a duplicate -- like if it
21
saw the encryption algorithm for shard A.
22
if that exact copy came across, TSS wouldn't know
23
what to do with it.
24
properties.
25
said --
And then
So there's the fundamental TSS
But outside of that -- I mean, like I
243
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 35
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 34 of 47
16:22
1
Q.
Well, would it --
16:22
2
A.
-- we're going off of what we see in the
16:22
3
shard -- what we have in the actual -- at the shard
4
level and then, again, back tested.
5
monthly or periodically reports for ensuring all
6
TSS-related activity is -- is as expected on-chain.
7
Q.
Okay.
You know, we do
I'm going back to the copies.
So
8
if somebody was able to make a copy, if the original
9
shard just didn't participate in whatever the
10
requested activity was, couldn't it be the case that
11
you would just see the copy and nobody would know
12
that that was a copy?
16:23 13
A.
So now you're getting into theoreticals, I
14
think.
As a security professional, I can never say
15
that the risk of something happening is zero.
16
been around in this space too long to -- to say that.
16:23 17
I've
But, in my opinion, the amount of -- it's
18
just not plausible or realistic to think that that --
19
that that could be done, given what I know about TSS
20
and just PKI for -- private key infrastructure in
21
general.
16:23 22
23
Q.
And what about your knowledge gives you
that comfort?
16:23 24
A.
I mean, are you asking like --
16:23 25
Q.
Like break it down for us to why you think
244
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 36
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 35 of 47
16:51
16:51
1
implementation of the whitelisting system?
2
your understanding about how that configuration is
3
established?
4
A.
Are we talking about the shards or PN- --
5
the hot wallets?
6
or hot wallets?
7
Q.
What is
Are we talking about cold wallets
Any type of transfer that requires solely
8
going to a whitelisted wallet.
Like it was
9
represented to us that one of the controls in place
10
to protect against unauthorized transfers is that
11
certain wallets can only transfer to whitelisted
12
wallets.
16:52 13
14
16:52 15
So explain to us how that configuration is
built in to ensure that that is what occurs.
A.
So I can't speak to like the -- what --
16
how that functions on the back end, but when -- you
17
know, I've asked the -- previously we were doing some
18
of this assessment work.
16:52 19
And I've asked the clearing team to
20
purposely put in the wrong -- like a non-whitelisted
21
wallet address, and it just fails within the app.
22
doesn't go any further.
23
address.
16:52 24
25
Q.
Okay.
It
It just says not a valid
So you tested to ensure that the
transfer could only be made to a whitelisted wallet?
264
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 37
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 36 of 47
16:52
1
A.
Yes.
16:52
2
Q.
And for the BitGo wallets, do the
16:53
3
transfers only have to go to whitelisted wallets as
4
well?
5
A.
Yes.
Yes.
We treat all assets if it goes
6
cold, so the same principles apply.
7
we don't -- aside from maybe some testing wallets for
8
testing connectivity or some new network or token,
9
all wallets in BitGo need to have a whitelisting on
10
16:53 11
12
16:53 13
You have to --
them enabled.
Q.
And have you coordinated with BitGo to
ensure that that configuration is in place?
A.
I haven't felt the need that we needed to
14
coordinate with BitGo because we are the ones that
15
set those policies.
16
treasury folks will go in there and add the
17
whitelisting as needed.
18
actually hands-on pushing the buttons to whitelist
19
the addresses.
16:53 20
21
16:53 22
So, typically, the clearing or
So we are the ones that are
There's no need for BitGo to be involved
with that process.
Q.
But how then -- like what's the
23
enforceability of that mechanism for transfers from
24
BitGo wallets?
16:54 25
A.
So the same.
So they have two controls
265
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 38
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 37 of 47
17:47
1
wallet is C3.
And then the next vertical line at the
2
bottom is C4.
Above that is C5.
3
And then if you go -- continue going up
4
and to the right it's 6, 7, 8, with C8 being the
5
farthest to the right.
Can you read that?
17:47
6
A.
I think so, yeah.
17:47
7
Q.
I can walk through it again.
17:47
8
A.
Okay.
17:47
9
Q.
That's no problem.
So for the C2 circles
10
that corresponds with the CUS-2 in the chart below.
11
And so where it says:
12
configured each asset listed on the Binance.US
13
platform to be held in each customers' deposit wallet
14
until a threshold is met," do you have any
15
documentation of that configuration?
17:48 16
17
17:48 18
A.
"Management has approved and
That should be in the digital asset
custody policy.
Q.
Okay.
So it's -- the policy is sort of
19
what it's supposed to be.
20
technical configuration I just want to confirm,
21
circling back to what we talked about earlier, that
22
-- if there would be any way to validate that
23
configuration technically?
17:48 24
25
A.
I mean, yeah.
But in terms of like
I mean, we could change the
value and then run the test to make sure that that is
296
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 39
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 38 of 47
1
automatically overflowing.
17:48
2
Q.
It would be by testing to verify that?
17:48
3
A.
Yes.
17:49
4
Q.
Okay.
And so in the CUS -- the C4 four
5
lines down about unauthorized movement of customer
6
funds being the risk address and the control
7
describes the TSS configuration and at the end where
8
it says "approvers approve the transaction on a
9
timely basis," is that referring to the 30 minutes
10
that you talked about earlier?
17:49 11
A.
17:49 12
Q.
17:49 14
17:49 15
16
That's how I understand it, yes.
What is that?
A.
The private key authorization methodology
procedure?
17:50 17
Q.
Yes.
17:50 18
A.
And is that -- C7 as in -- where does that
19
17:50 20
21
fall on this diagram?
Q.
So that goes -- do you see the two green
circles at the top?
17:50 22
A.
The top, yes.
17:50 23
Q.
It's the one to the left.
17:50 24
A.
It's used for determining access to the
25
private keys to whitelist hot wallets.
I don't know
297
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 40
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 39 of 47
1
18:29
2
-- they were just going to rebrand.
Q.
Okay.
And so the time period for that SOC
3
report as noted in the first bullet was August 1st,
4
2022 to October 30th, 2022.
18:30
5
A.
Okay.
18:30
6
Q.
Did you receive any other report for a
7
larger time period, a SOC 2 report for the CEFFU?
18:30
8
A.
No.
18:30
9
Q.
So how did you get comfort that the
This was the only SOC 2 report I saw.
10
controls in that report were sufficient given that it
11
was for such a short period of time?
18:30 12
A.
In my experience and in my opinion I don't
13
see anything wrong with the time given.
14
more important factor is that they did have an
15
external party come in and assess.
16
-- yeah.
18:30 17
I think the
There are types
I mean, just for the fact that they did
18
actually get a SOC 2 which is actually a snapshot
19
over a period of time, rather than a type 1 which is
20
a singular snapshot as of a certain date.
18:31 21
And so, you know, when I talked to
22
about that SOC 2 report, my -- I asked have there
23
been any significant changes from when the report was
24
-- or the assessment was conducted, and he said no.
25
So I left it at that.
304
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 41
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 40 of 47
18:50
18:51
18:51
1
Q.
So as it (sic) sits here today, you have
2
-- you don't have insight into the environment that
3
hosts the technology for the security of the
4
background -- of the back end.
5
You don't have a third-party assessment
6
that evaluates the security of CEFFU, and you've
7
replied upon a questionnaire prepared by Binance
8
regarding the information of security?
9
I'm just trying to get an understanding of
10
the different pieces of information that you're
11
looking at.
18:51 12
MR. BEVILLE:
So I'm going to object to
13
the extent that mischaracterizes some of what Erik
14
says.
18:51 15
18:51 16
But please answer.
A.
So Binance did not create our security
17
questionnaire.
Me and my team created the
18
questionnaire.
We took input from various custodial
19
solution partners as well -- Binance, you know, had
20
some chance to -- to overview that with us, but they
21
did not create that.
22
questionnaires.
18:51 23
18:51 24
25
That was ours.
That was Bam's
BY MS. FARER:
Q.
Sorry.
To clarify, their response to your
questionnaire?
319
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 42
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 41 of 47
18:51
18:52
1
A.
Right.
So, yes.
So, additionally,
2
conversations that, you know -- again, once I was --
3
it was made clear that that was not our instance
4
(sic) of the technology, conversations led to, well,
5
what is different between what I see in the SOC
6
report and our -- and our implementation.
7
The answer was nothing is different.
So
8
we're taking that -- those conversations.
9
course, the subsequent conversations dive into more
10
detail specifics about that.
11
their word for it.
And of
It's not just take
18:52 12
As a security professional, I feel like I
13
know where certain topics need to be dug into versus
14
what -- what's -- what's realistic versus what's not.
18:52 15
And then, again, our internal control
16
systems and testing that we've done that we're able
17
to do, as well as the fact that we haven't found any
18
historical evidence of anything not functioning as we
19
were told, as we were presented.
18:52 20
Q.
Okay.
And who did you have those
21
conversations with about the difference between the
22
SOC 2 report and the solution you all have from
23
Binance.com?
18:53 24
A.
Again, that was
18:53 25
Q.
Okay.
I'm going to show you -320
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 43
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 42 of 47
1
time in taking it any further.
19:06
2
19:06
3
Q.
And why didn't you keep it?
19:06
4
A.
I don't know.
19:06
5
Q.
Who told you that the decision was not to
6
19:06
7
BY MS. FARER:
That wasn't my decision.
keeps it?
A.
I don't remember who exactly.
It may have
8
been someone on our business development team when I
9
started asking to get a SOC report so I could start
10
diving in more to their -- to the setup and, you
11
know, doing our security diligence.
19:07 12
That's when I was told like they're not
13
really responsive and we're going to probably kill
14
the relationship with them anyways.
15
last we really dealt with Anchorage, that my security
16
team dealt with Anchorage.
And that was the
19:07 17
Q.
Did you ever receive the SOC report?
19:07 18
A.
No, that I remember.
19:07 19
Q.
Was the reason that you didn't go forward
20
19:07 21
because they wouldn't provide a SOC report?
A.
No, not to my knowledge.
My -- like I
22
said, by the time I was asking for the SOC report I
23
was told that we're not going to move forward with --
24
like keeping that relationship and the technology.
19:07 25
Q.
Okay.
Going down to BitGo, the last two
323
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 44
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 43 of 47
1
19:20
2
3
19:20
A.
That I -- I have no clue what they're
referring to there.
4
5
19:20
infrastructure of the service"?
Q.
Okay.
Has anything been done to address
these deficiencies?
6
A.
So as I mentioned, you know, trying to
7
work with BHL to get a -- a -- some sort of security
8
assessment, SOC 2 would be ideal for our instance
9
specifically.
10
referring to.
19:21 11
Q.
Again, that's if that's what they're
Okay.
You can put that one to the side.
12
I'm going to show you what is being marked Exhibit
13
71.
19:21 14
15
(Exhibit Number 71 was marked for
identification and was attached to the deposition.)
19:21 16
19:21 17
BY MS. FARER:
Q.
And given the strange -- well, not
18
strange.
19
with the printing, this is a document that was
20
produced by either your counsel that was
21
characterized as a spreadsheet showing CEFFU's
22
answers to the custody solution provider security
23
questionnaire provided to CEFFU by Bam.
19:22 24
25
A.
But the way that the formatting came out
Got you.
This is a much better export
than what our third-party platform prints out, so
332
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 45
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 44 of 47
1
yeah.
19:22
2
Q.
So this looks familiar to you?
19:22
3
A.
Yes.
4
19:22
5
This is the custodial security
questionnaire.
Q.
Okay.
So I just want to walk through some
6
of the points in this questionnaire.
So this is the
7
questionnaire that you referenced a couple of times
8
today?
9
A.
One of the questionnaires.
19:22 10
Q.
Oh, is there a different questionnaire?
19:22 11
A.
So there's also -- so for -- depending on
19:22
Correct, yes.
12
-- you know, we assess -- when a new third party --
13
you know, I know we focused on our custodial partner.
14
But any third party that comes -- that we come in
15
contact with we do an initial assessment of, you
16
know, do they need connectivity.
19:23 17
It's up to the security team and first
18
response of our third-party risk manager to decide if
19
we need to send out a security -- we have a general
20
security -- cybersecurity due diligence questionnaire
21
regard- -- you know, that's, you know, just kind of a
22
standard almost if there's ever going to be any kind
23
of pertinent or sensitive data being shared or
24
information being shared.
19:23 25
And then this questionnaire was in
333
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 46
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 45 of 47
19:23
19:23
19:23
1
addition to that, which is specific to custodial
2
standards and technology.
3
Q.
So -- but is there a -- that second
4
questionnaire that you're talking about, is there a
5
completed questionnaire by Binance.com?
6
A.
I would like to say yes, but I'd have to
7
go back to our -- I'll look at our third-party
8
management program if there is --
9
MS. FARER:
10
And, Counsel, for the
record, we would like that produced.
19:23 11
BY MS. FARER:
19:23 12
13
Okay.
Q.
Who completed Binance.com's response to
this questionnaire?
19:24 14
A.
I was given --
gave -- I said,
we
15
need this questionnaire for our third-party
16
diligence, and he gave me a name or an email.
17
would be in our third-party platform who did it.
18
don't have the name off the top of my head, though.
19
It was not
20
think, or someone else within BHL who had filled this
21
out.
19:24 22
23
19:24 24
25
Q.
It was someone on
It
I
team, I
When you said your third-party platform,
what are you talking about?
A.
So for third-party risk management we use
a platform called Whistic, W-H-I-S-T-I-C.
And it's
334
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 47
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 46 of 47
1
about?
19:50
2
MR. BEVILLE:
19:50
3
MS. FARER:
19:50
4
MR. BEVILLE:
19:50
5
BY MR. BEVILLE:
19:50
6
Q.
The bottom of page 2.
Please note?
Please note.
And this reads:
"It should be noted that
7
while Binance.com changed the name of the services
8
for which they're (sic) offered, there is no change
9
to any of the service functionality and no material
10
impact to the services licensed by Binance.US.
19:50 11
A.
That's right.
19:50 12
Q.
Does this reflect that you informed the
13
auditors at FGMK that the change to CEFFU was a name
14
change?
19:50 15
A.
Yes.
19:50 16
Q.
And there was no material change to the
17
services received?
19:50 18
A.
Correct.
19:50 19
Q.
Okay.
20
There was also some discussion of
the BHL SOC 2 report?
19:51 21
A.
Yes.
19:51 22
Q.
I believe you testified that it was not
23
specific to your AWS environment?
19:51 24
A.
That's right.
19:51 25
Q.
But it was specific to the software used
352
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 48
Case 1:23-cv-01599-ABJ-ZMF Document 140-3 Filed 10/03/23 Page 47 of 47
1
in that environment?
19:51
2
A.
Correct.
19:51
3
Q.
Was that still valuable, from your
4
perspective, in assessing the security of the
5
product?
19:51
6
19:51
7
MR. BEVILLE:
19:51
8
MR. BAKER:
No questions.
19:51
9
MS. FARER:
I think as noted earlier we're
A.
Yes.
No further questions.
10
going to leave this open, and we note your objection
11
on the record to us leaving it open.
19:51 12
But for the reasons we've discussed that
13
we -- there's a number of outstanding requests both
14
before today but also that occurred during today with
15
outstanding information that was not produced to us
16
by the company, and that this witness would be the
17
person that would be able to provide us a significant
18
amount of additional information.
19:51 19
20
We didn't get to test him on these
documents.
19:51 21
We're going to leave it open.
MR. BEVILLE:
Again, we object.
We object
22
to that.
We don't think you have the right to keep
23
this open under the consent order or the Federal
24
Rules.
25
We will be getting you and meeting and conferring
You had quite a long time with Erik today.
353
GRADILLAS COURT REPORTERS
(424) 239-2800