Page 1 Declaration of Matthew Beville
Ex. 1Page 2 EXHIBIT BPage 3
UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
SECURITIES AND EXCHANGE
COMMISSION,
)
)
)
Plaintiff,
)
)
v.
)
) Case No.
BINANCE HOLDINGS LIMITED, BAM ) 1:23-cv-01599-ABJ
TRADING SERVICES INC., BAM
)
MANAGEMENT US HOLDINGS, INC., )
AND CHANGPENG ZHAO,
)
)
Defendants.
)
______________________________)
VIDEOTAPED DEPOSITION OF ERIK KELLOGG
THURSDAY, AUGUST 24,
9:50 A.M.
Washington, DC
REPORTED BY:
SHERRY L. BROOKS,
CERTIFIED LIVENOTE REPORTER
JOB NO. 230824SLB
GRADILLAS COURT REPORTERS
(424) 239-2800Page 4 10:
10:
Amazon environment that was not established by
Binance Holdings?
A.
If I'm understanding correctly, so Binance
-- so BHL helped to -- they spun up Bam's AWS
environment.
don't -- I wasn't here for that.
manage anything as of today, as of a couple months
ago or -- right.
10:53
Q.
But -- so they helped set it up, and I
But they don't
What access do they have to that AWS
environment that they set up for Binance.US?
A.
So the -- few folks -- a few BHL people
who have access are only allowed to access and help
support the services and/or systems within AWS that
run the matching engine, that comprise the matching
engine.
10:54
Q.
What about the wallet software?
10:54
A.
The wallet software is in a BHL on the AWS
10:54
10:54
10:54
environment.
Q.
It's separate from ours.
So the wallet software is not in a
Binance.US AWS environment?
A.
Components of it are, but, no, it is not.
The back end of it is not in our environment.
Q.
Okay.
So then circling back to my initial
question, the SOC reports -- I had initially asked if
the SOC reports cover all components of the
GRADILLAS COURT REPORTERS
(424) 239-2800Page 5 10:
10:
Binance.US services and infrastructure.
I feel like we're getting caught up on
infrastructure, so please clarify, but even that
which is provided by third parties.
And, again,
So in my view -- and, again, correct me if
I'm wrong -- the wallet software is a component of
the Binance.US system.
understanding?
A.
No.
Is that not your
The wallet software is to me -- we
treat it as any other third-party software or service
that we're using, but the components that -- that
control that software do live in our environment.
there's a part of that that -- which is P and K.
That lives in our AWS environment.
was included in these third-party assessments.
10:55
Q.
So
That is -- that
And what components of the wallet software
are in the Binance Holdings AWS environment that was
not included in the SOC report?
10:55
10:55
10:55
A.
I would consider it the back end of the
software.
Q.
And what does that back end do or how
would you define "back end"?
A.
I would define the back end that that's
what actually is the part that interacts with the
keys in the chain in the blockchain aspects.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 6 10:
10:
I think just with -- as with any of the
third party that we would use, I couldn't tell you
exactly what a third-party spec and system were
doing.
do what we need to do as a business with those assets
and we treat it as such.
We were told -- we were given the ability to
Q.
Okay.
So just so I understand, the back
end is the part that interacts with the keys.
what you're saying?
10:56
A.
end works.
10:56
Q.
I couldn't tell you exactly how their back
I couldn't tell you.
But I think you testified previously that
the back end interacts with the keys.
changing that testimony?
10:56
A.
That's
So are you
I would say that there's some interaction
with the keys there.
back end interacts with the keys, at least to me.
yes.
10:57
10:57
10:57
10:57
Q.
Okay.
I think it's obvious that the
So
And Binance.US does not have access
to that environment?
A.
No, not -- we don't have access to the AWS
-- to their AWS.
Q.
To the AWS that hosts the component of the
software that interacts with the keys?
A.
Correct.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 7
Q.
environment?
10:
A.
Yes.
10:
Q.
And who has access to that AWS
environment?
A.
10:
10:
10:
And Binance Holdings, that's their AWS
I wouldn't know.
We're not involved in
their -- in their management of that system.
Q.
So just so I understand, sitting here
today, you don't know who from Binance Holdings has
access to the AWS environment that interacts with the
keys for the Binance.US wallet software?
10:58
A.
Correct.
10:58
Q.
And we're going to get into the systems a
little bit in more detail, but I'm just trying to get
the lay of the land.
10:58 10:58
10:58
10:58
A.
Um-hum.
MS. FARER:
Now maybe -- now might be a
good time for a quick break.
MR. BEVILLE:
Yeah.
We've
been going about an hour.
THE VIDEOGRAPHER:
The time is 10:58 a.m.
We are now off the record.
10:58
(A break was taken.)
11:11
THE VIDEOGRAPHER:
That works.
The time is 11:10 a.m.
We are now on the record.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 8 12:
12:
12:
Q.
How do you know that someone from Binance
can't do that as well?
A.
You know, we have access to the portal and
see which users are in there.
know.
Q.
So to that extent, we
Do you have -- when you say you can see
what users are in there, what do you mean?
A.
Okay.
12:07
Q.
Do you have visibility into all means of
12:
access for that TSS portal?
12:07
A.
As far as I know, yes.
12:07
Q.
How are you supposed to gain comfort with
12:08
that if it all sits in the Binance environment?
A.
Again, this is where we would fall back on
the third-party risk assessments, our own security
diligence, our conversations.
all of our custodial solution partners.
12:08
Q.
And it's standard for
So your confirmation that Binance doesn't
have access to the TSS portal is confirmation from
Binance?
12:08
A.
And the third-party reports we saw.
12:08
Q.
The third-party reports you're referring
12:08
to are the SOC 2 and ISO reports?
A.
Correct.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 9 12:
12:
Counsel, we've made a number
of requests for production of documents relating to
access controls and the infrastructure here.
12:
MS. FARER:
MR. BEVILLE:
We can discuss this on a
break.
MS. FARER:
Well, I'm going to put it on
the record that we would like a copy of those reports
given that is how Mr. Kellogg just testified that is
part of the way he gets comfort in the level of
access from Binance to this portal.
12:09
MR. BEVILLE:
Understood.
Do you want to
ask Mr. Kellogg about how he's accessed those
documents?
12:09
MS. FARER:
12:09
BY MS. FARER:
I'm happy to ask.
12:09
Q.
How have you accessed these documents?
12:09
A.
The SOC 2 report and ISO -- well, the SOC
2 report was provided to me from BHL, through our
standard third-party diligence.
chance to review them, that's been revoked and I
haven't had a chance to -- I don't have them anymore.
I don't have the SOC anymore.
12:09
But since I've had a
I can't get it.
In the ISO report we saw the
certification, the official certification from the
third party.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 10 12:
12:
12:
12:
Q.
So have you ever had actual possession of
these documents?
A.
No.
They've been shared with me from the
-- BHL's infrastructure.
MR. CANELLOS:
"shared," I think, is the question?
possession?
A.
What do you mean by
Is it physical
Is it some other --
No.
So it was like a Google doc link from
their Google environment.
And, you know, they can
control -- like you can't -- you know, we couldn't
download it.
12:10
You know, we couldn't print it.
They had strict controls around what I
could actually do with the report besides pull it up
and read it on my screen.
besides that.
12:10
BY MS. FARER:
12:10
I couldn't do anything
Q.
And why wouldn't they give it to you to
actually like save and have a copy of it?
12:10
A.
In my opinion, the potential proprietary
information that could get out could -- could cause a
security leak if any of that got like -- so it's not
uncommon I would say that given the amount of
sensitive and secure information that are in these
types of reports that you don't necessarily hand them
out.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 11 12:
12:
12:
12:
12:
I think that that goes case-by-case,
business-by-business decision.
Q.
Is that what was explained to you as to
why you couldn't have the report?
A.
Yes, but I also agreed with that point of
view.
Q.
And what entities are covered by this SOC
report that you saw?
A.
Technologies.
12:11
Q.
So on the name I believe it was Block
And I want to turn to that in a second.
But what other third-party vendors that service
Binance only provided you a SOC 2 ISO or other
security report through a screen share?
12:11
MR. BEVILLE:
12:11
MR. NELSON:
Which entity are you
referring to?
12:11 12:11
Which Binance --
MS. FARER:
A.
Binance.US.
Well, I would say BitGo has a SOC 2 report
that they did provide us, but they don't have any ISO
reports.
12:11
BY MS. FARER:
12:11
Q.
They provided you a copy that you have?
12:12
A.
Correct.
Fire Blocks gave us a SOC
report, but they do not have an ISO report.
And I'm
GRADILLAS COURT REPORTERS
(424) 239-2800Page 12 12:
just giving you some examples of the other custodial
solutions that we are working with, whether they're
implemented yet or not.
Q.
I guess I'm just asking a very specific
question.
Are any of the other third-party service
providers that Binance.US uses -- did any of them say
I'm only sharing the SOC 2 report through a screen?
12:
A.
Not that I'm aware of.
12:
Q.
Now, going back to the SOC 2 report that
Not that I can --
you saw on the screen, you said it was for Block
Technologies?
12:12
A.
Yes.
12:12
Q.
And what is your understanding of what
12:12
that company is?
A.
It's my understanding that Block
Technologies was acquired by BHL for their wallet --
for part or some of their wallet technology and,
therefore, was -- that -- that -- that was the same
technology as what we have from BHL.
12:12
Q.
What is the basis of your understanding
that Block Technologies was acquired by BHL?
12:13
A.
Conversations with Bob.
12:13
Q.
And what is your understanding that -- I
12:13
guess, let met break this down.
When did this acquisition occur?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 13 12:
A.
That, I'm not sure.
I don't know.
12:
Q.
Was there a Binance wallet solution in
place before Binance acquired Block Technologies in
place for Binance.US?
12:
A.
I don't know.
12:
Q.
So when you say -- I'm just trying to
understand when you said the Block Technology (sic)
solution was the same that you were using.
seems to be -- you were making a distinction between
some kind of wallet software.
understand.
12:13
A.
Well, yes.
There
So I'm just trying to
So my question was the same,
why is -- why is -- you know, why is this name on
this SOC report and why are you giving it to me when
I'm asking for a SOC report for the wallet technology
for the wallet services that we're getting from BHL?
And they gave that to me with the response that this
is the technology that you guys are using.
12:14
This is -- this is the technology.
You
know, Block was acquired by BHL for -- again, for
either parts or -- for some part of the wallet
technology, but it was applicable -- definitively
applicable to our implementation of BHL's wallet
software.
12:14
Q.
So sitting here today it is your
GRADILLAS COURT REPORTERS
(424) 239-2800Page 14
understanding that that SOC 2 report for Block
Technologies covers the solution that is provided to
Binance.US wallets?
12:
A.
That is my understanding, yes.
12:
Q.
And the basis of that understanding is
12:
12:
what?
A.
The conversations with Bob and the
relationship with the -- that we built.
Q.
What included in the report gave you the
understanding that that report covered what
Binance.US was using?
12:15
A.
Are you asking how do I know that the
auditors were actually auditing our infrastructure
versus something else?
12:15
Q.
Yes.
12:15
A.
I don't have anything to tell you.
12:15
Q.
Okay.
12:15
MR. BEVILLE:
hour.
put out a marker.
12:15
So we've been going about an
It's getting close to lunch.
MR. NELSON:
I just wanted to
At this point, apparently the
audio went out on the WebEx.
hosting that, but if you could check it.
12:15
MS. FARER:
12:15
THE VIDEOGRAPHER:
So I don't know who is
Let's go off the record.
The time is 12:15 p.m.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 15
any of this.
our custody software what -- you know, what's the
name of it?
14:
14:
14:
14:
BY MS. FARER:
Q.
A.
But I mean, new entity in the sense
No.
It was my understanding it was still
going to be a Binance entity -- sorry.
Q.
14:11
Okay.
of this is not Binance Holdings?
It was more of like as we referred to
Right.
(Simultaneously speaking addressed by
Madam Reporter.
14:11
BY MS. FARER:
14:11
Q.
So let me ask:
So Binance Holdings is a
company, and so I'm saying a separate entity in that
CEFFU is a separate company from Binance Holdings.
14:11
MR. CANELLOS:
14:11
MS. FARER:
14:11
MR. CANELLOS:
A.
14:12
That's my question.
Is CEFFU a separate company
I don't know.
BY MS. FARER:
14:12
14:12
Yes.
from Binance Holdings?
14:12
Are you asking that?
Q.
What is your understanding of what CEFFU
A.
Right now, I don't know what it is
is?
anymore.
It was my -- at that time it was my
GRADILLAS COURT REPORTERS
(424) 239-2800Page 16
understanding that it may become a branch of BHL
where they commercially sell their services, was my
understanding at that time.
CEFFU is.
Now I'm not sure what
Q.
referring to?
14:
A.
So early 20 -- earlier this year.
14:
Q.
And so why has your view changed that you
14:
14:12
And at that time what time were you
don't think you know what CEFFU is?
A.
Because I've since then directly asked Bob
are we -- do we have a relationship with CEFFU, and
he said no.
14:12
Q.
So all of the materials including that
which was provided to auditors referencing CEFFU
being the wallet software provider is -- they are
inaccurate?
14:12
A.
14:13
14:13
The name is inaccurate.
MR. CANELLOS:
Well, how is the name
inaccurate?
A.
Instead of CEFFU, it should say BHL.
Nothing is -- the fundamental technology, people,
processes, everything that makes up the BHL wallet
services that we use has never change.
ever changed on that.
14:13
Nothing has
It was simply referring to it -- when I
GRADILLAS COURT REPORTERS
(424) 239-2800Page 17 16:
A.
Correct.
Yes.
16:
Q.
And, again, in terms of just the approval
process, have there been instances in which any of
the shard holders rejected a request?
16:
MR. CANELLOS:
16:
MS. FARER:
went to their device.
16:
A.
Approval of what?
Approval of a transfer that
Not that I'm aware of, but a -- a -- a
reject (sic) of a certain transaction would not
necessarily warrant a security event.
It may just
have been, hey, communication between maybe
saying I put the wrong
address; don't accept that, or the shard holder
accidentally hitting the wrong button.
16:44
But as far as I know, nothing has been
brought to my attention from a security perspective
that someone rejected a request.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 18 GRADILLAS COURT REPORTERS
(424) 239-2800Page 19 18:
.com (sic) team will notify .US (sic) immediately of
any incident related to supporting license
technologies or infrastructure" -- and then it goes
on.
18:
But my question is:
Is there such a
process in place?
A.
So -- so we've communicated with them.
But if we're talking about incidents -- yeah, so
there's a few Slack channels that -- one example
would be MBX Slack channel.
form BHL that are MBX engineers.
18:41
That has a few folks
So if there's an issue that they've
identified with a matching engine, they'll reach out
to our engineering team through that channel which
then they can help work through how to resolve that.
18:41
18:41
18:41
Q.
Is there a Slack channel devoted to the
wallets?
A.
No.
There is --
Q.
So how do you
communicate with .com relating to the wallets?
A.
So I typically don't.
That would be,
again, under -- Frank's team usually is engineering.
If it's a security-related event, my team had --
there's a way that BHL -- we have a security team to
security team channel.
18:41
But if it's an incident in the sense of a
GRADILLAS COURT REPORTERS
(424) 239-2800Page 20 18:
malfunction or a misconfiguration of the -- one of
the -- you know, of a matching engine or maybe a
wallet, the matching engine has a dedicated channel.
The wallet services, there are a couple of
Slack channels dedicated to that.
back to you if there's actually any BHL employees in
that Slack channel.
18:
18:
Q.
I'd have to get
Okay.
MS. FARER:
And, Counsel, we would put
that request on the record for communications with
BHL regarding the wallets and we can talk about
scope.
18:42
We understand you have an objection to our
request for communications, but we maintain that this
is relevant and this is an opportunity based on
information that you all have provided to narrow our
request.
18:42
MR. BEVILLE:
happy to discuss this.
18:42 18:42
18:43
This is exactly the -- we're
BY MS. FARER:
Q.
Okay.
And then the last paragraph --
explain to me what this means.
A.
So I am -- I take this as to say that the
CEFFU BHL SOC 2 report doesn't cover Bam's AWS
infrastructure.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 21 18:
18:
18:
18:
Q.
Okay.
And at the time when you read the
SOC 2 report, did you understand that it did?
A.
No, which is why I don't really understand
why this statement is here.
Q.
I'm confused.
So when you read the SOC --
the SOC 2 report for CEFFU, did you believe that it
covered the solution that Binance.US actually uses?
18:43
A.
Oh, at the time I was -- yes.
I -- yes.
That was my understanding that it did.
Q.
Okay.
But this paragraph indicates that
it does not?
18:44
A.
Right.
18:44
Q.
So aside from the SOC 2 report that was
shared on screen with you and FGMK, is there some
other report that you have received regarding the
security for the controls for CEFFU?
18:44
A.
No.
18:44
Q.
So how in your role as chief information
security officer do you have comfort in the security
of those assets?
18:44
A.
So it's my understanding that it's still
the same technology, same text stack.
nothing is different except for the environment that
it's hosted in.
18:44
Same --
And due to the fact that once we clear the
GRADILLAS COURT REPORTERS
(424) 239-2800Page 22
air that it -- that it -- once we got the
understanding that it wasn't, we were in discussions
with BHL for them to conduct a new SOC report on
specifically our environment, which they initially
agreed to.
18:
Q.
When did that conversation occur?
18:
A.
Either late last year or earlier this
18:
year.
I don't remember the exact time.
Q.
And you said Binance.com initially agreed
to have your wallet software be reviewed for under
SOC 2?
18:45
A.
By a third party, yes.
18:45
Q.
And when you say initially agreed, has
18:45
that decision changed?
A.
Yeah.
Well, I haven't been told it's not
going to happen, but it -- we haven't made any
progress on that.
18:45
18:45
Q.
And why have you not made any progress on
that?
A.
I think -- I don't know.
I can't speak to
why the communications are slowed down on the -- on
the BHL side, but that's a big part of it.
18:45
Q.
What progress was made when you were under
the impression that this SOC 2 report was going to --
or the SOC 2 assessment was going to occur?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 23 18:
18:
A.
Identifying which third-party assessors we
-- you know, we would consider going in for that.
it was a collaborative discussion, okay, recognize
that we need a SOC 2 report or some kind of security
report done specifically on our environment, our
implementation of the custody software.
And then it was already -- which they
initially agreed to, and then we were at the stage
of, okay, which vendors are they comfortable with,
So
you know, and that we are both comfortable with.
18:46
Q.
And was a vendor selected?
18:46
A.
We -- we didn't get that far.
18:46
Q.
Who were you talking to from Binance.com
about this issue?
18:46
A.
Bob again.
18:46
Q.
And when was the last time that you had a
communication with Bob about this issue?
18:46
A.
I don't remember.
18:46
Q.
Based on how these conversations have
I don't remember.
progressed, do you believe that a SOC 2 report for
the wallet software that Binance.US uses is going to
occur?
18:47
A.
I don't have reason to think it's not
going to occur.
Our discussions was while it -- my
opinion is it didn't have to be a SOC 2 report.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 24 18:
18:
It just had to be some third-party
security based assessment, whether that's office
security, penetration testing, or an actual
formalized SOC 2 or ISO.
like they agreed, yeah.
forward with that.
Q.
So the general consensus
They were happy to move
And -- I'm sorry.
you.
with them about this?
Maybe I didn't hear
When was the last time you had a conversation
18:47
A.
I want to say it was earlier this year.
18:47
Q.
Okay.
18:48
So like January? February?
What
month are we talking about here?
A.
The initial discussions came up sometime
in Q1, and I think we were continuing to discuss
periodically over the following months.
18:48
Q.
Have you followed up and pressed on the
status of this report?
18:48
A.
No, not recently.
18:48
Q.
And why not?
18:48
A.
Like I said, you know, communication
requests have slowed down.
So I don't know if
they're trying to identify a better point of contact
for us to have for these kind of things or -- you
know, while I have -- you know, while -- while it's
been great to have Bob as a single point of contact,
GRADILLAS COURT REPORTERS
(424) 239-2800Page 25 18:
18:
I've also asked if we can get more of a formal
contact tree (sic) in place, you know, for support
issues.
And so I don't know if while they work
through all of that they're trying to decide maybe
who should be in that role.
gotten a lot of feedback from their side on this yet.
Q.
18:49
And when you've tried to find an
alternative point of contact, who have you inquired
about that with -- that was poorly worded.
18:49
So, again, I haven't
Who have you asked for an additional point
of contact?
A.
So really Bob has been my only point of
contact.
him, which, again, I think he recognizes the problem
-- or not a problem, but as kind of a bottleneck in
our request and moving things along.
don't know what kind of progress he's made on his
side for that.
18:49
Q.
So for me making requests, they go through
But I just
So you've asked Bob for an additional
point of contact?
18:49
A.
Right.
18:49
Q.
Have you elevated this up within
18:49
Binance.US?
A.
Within Binance.US?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 26 18:
To try and find an avenue to move forward
with getting a third-party security assessment for
your wallet service provider that holds the majority
of crypto assets for .US?
18:
18:
18:
Q.
A.
So yeah -MR. CANELLOS:
Excuse me.
majority of assets?
MS. FARER:
holds the majority of the assets.
testified to that.
characterization?
18:50
Mr. Kellogg
Is that an incorrect
You mean they provide the
software for the wallets?
MS. FARER:
Again, I ask for no speaking
objections.
18:50
Binance.com is the wallet who
MR. CANELLOS:
18:50
Who holds the
MR. CANELLOS:
Well, then I'm objecting to
your mischaracterization of the witness's testimony.
18:50
BY MS. FARER:
18:50
Q.
You can answer.
18:50
A.
So I would say as a critical software
vendor for our custodial processes that I think I
would love to have more structure around our
communication, you know, tree (sic) and a bit more
formalized structure around them as a -- as a third
party.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 27 18:
18:
18:
Q.
So as it (sic) sits here today, you have
-- you don't have insight into the environment that
hosts the technology for the security of the
background -- of the back end.
You don't have a third-party assessment
that evaluates the security of CEFFU, and you've
replied upon a questionnaire prepared by Binance
regarding the information of security?
I'm just trying to get an understanding of
the different pieces of information that you're
looking at.
18:51
MR. BEVILLE:
So I'm going to object to
the extent that mischaracterizes some of what Erik
says.
18:51 18:51
But please answer.
A.
So Binance did not create our security
questionnaire.
Me and my team created the
questionnaire.
We took input from various custodial
solution partners as well -- Binance, you know, had
some chance to -- to overview that with us, but they
did not create that.
questionnaires.
18:51 18:51
That was ours.
That was Bam's
BY MS. FARER:
Q.
Sorry.
To clarify, their response to your
questionnaire?
GRADILLAS COURT REPORTERS
(424) 239-2800Page 28 18:
18:
A.
Right.
So, yes.
So, additionally,
conversations that, you know -- again, once I was --
it was made clear that that was not our instance
(sic) of the technology, conversations led to, well,
what is different between what I see in the SOC
report and our -- and our implementation.
The answer was nothing is different.
So
we're taking that -- those conversations.
course, the subsequent conversations dive into more
detail specifics about that.
their word for it.
And of
It's not just take
18:52
As a security professional, I feel like I
know where certain topics need to be dug into versus
what -- what's -- what's realistic versus what's not.
18:52
And then, again, our internal control
systems and testing that we've done that we're able
to do, as well as the fact that we haven't found any
historical evidence of anything not functioning as we
were told, as we were presented.
18:52
Q.
Okay.
And who did you have those
conversations with about the difference between the
SOC 2 report and the solution you all have from
Binance.com?
18:53
A.
Again, that was Bob.
18:53
Q.
Okay.
I'm going to show you -GRADILLAS COURT REPORTERS
(424) 239-2800Page 29 19:
it's no longer working.
Q.
And why was
the
person who had the shards?
19:
A.
I don't know.
19:
Q.
And why was
19:
A.
I don't know that either.
19:
Q.
How did you coordinate picking up the
19:
shards
?
?
A.
It was through --
and I -- I was given
information.
19:33
Q.
From who?
19:33
A.
I believe maybe
19:33
Q.
19:33
A.
-I don't specifically remember.
It was
somebody -- it was a Bam employee.
I just don't
specifically remember if it was -- I believe it might
have been
understand it, he's the one that has -- he has a --
he has a communication -- he's able to -- I don't
know -- to get communication with
the one that's -- as I
that is basically supporting our instance
from the operational side.
19:34
And so we kind of view
as like the BHL
support person for our wallet operations support, if
needed.
GRADILLAS COURT REPORTERS
(424) 239-2800Page 30 19:
Q.
19:
A.
?
Yes.
That's how I understand it.
I've
never -- I don't have any direct exposure to see any
communications with anybody.
from conversations.
I mean, this is just
19:
Q.
Conversations with whom?
19:
A.
With
19:
Q.
So I thought we talked about earlier that
19:34
your point of contact for the wallets was
A.
?
Well, that is for the security and
technology and -- of the -- of the -- of the -- of
the wallets -- like the wallet system back end.
19:34
Q.
Okay.
So the role that
plays with the wallets is what?
19:34
A.
a role.
has requests that may affect our -- our shard
operations that -- that
would go to --
19:35
Q.
I don't know.
I wouldn't even say
All I know is that at times
has
may -- if
was the person that they
would go to in the past.
And how much in the recent past?
Like
when did that cut off, when the shards were delivered
to you?
19:35
A.
I don't know -- I don't really know if
this was really a -- like I said, I've never actually
seen anything that would say that they've had any
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 1
PlainSite Cover Page
PDF Page 2
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 1 of 30
Declaration of Matthew Beville
Ex. 11
PDF Page 3
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 2 of 30
EXHIBIT B
PDF Page 4
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 3 of 30
1
UNITED STATES DISTRICT COURT
2
FOR THE DISTRICT OF COLUMBIA
3
4
5
6
7
8
9
10
11
SECURITIES AND EXCHANGE
COMMISSION,
)
)
)
Plaintiff,
)
)
v.
)
) Case No.
BINANCE HOLDINGS LIMITED, BAM ) 1:23-cv-01599-ABJ
TRADING SERVICES INC., BAM
)
MANAGEMENT US HOLDINGS, INC., )
AND CHANGPENG ZHAO,
)
)
Defendants.
)
______________________________)
12
13
14
VIDEOTAPED DEPOSITION OF ERIK KELLOGG
15
THURSDAY, AUGUST 24, 2023
16
9:50 A.M.
17
Washington, DC
18
19
20
21
22
23
24
25
REPORTED BY:
SHERRY L. BROOKS,
CERTIFIED LIVENOTE REPORTER
JOB NO. 230824SLB
1
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 5
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 4 of 30
10:53
10:53
1
Amazon environment that was not established by
2
Binance Holdings?
3
A.
If I'm understanding correctly, so Binance
4
-- so BHL helped to -- they spun up Bam's AWS
5
environment.
6
don't -- I wasn't here for that.
7
manage anything as of today, as of a couple months
8
ago or -- right.
9
10
10:53 11
Q.
But -- so they helped set it up, and I
But they don't
What access do they have to that AWS
environment that they set up for Binance.US?
A.
So the -- few folks -- a few BHL people
12
who have access are only allowed to access and help
13
support the services and/or systems within AWS that
14
run the matching engine, that comprise the matching
15
engine.
10:54 16
Q.
What about the wallet software?
10:54 17
A.
The wallet software is in a BHL on the AWS
18
10:54 19
20
10:54 21
22
10:54 23
environment.
Q.
It's separate from ours.
So the wallet software is not in a
Binance.US AWS environment?
A.
Components of it are, but, no, it is not.
The back end of it is not in our environment.
Q.
Okay.
So then circling back to my initial
24
question, the SOC reports -- I had initially asked if
25
the SOC reports cover all components of the
60
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 6
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 5 of 30
10:54
10:55
1
Binance.US services and infrastructure.
2
I feel like we're getting caught up on
3
infrastructure, so please clarify, but even that
4
which is provided by third parties.
5
And, again,
So in my view -- and, again, correct me if
6
I'm wrong -- the wallet software is a component of
7
the Binance.US system.
8
understanding?
9
A.
No.
Is that not your
The wallet software is to me -- we
10
treat it as any other third-party software or service
11
that we're using, but the components that -- that
12
control that software do live in our environment.
13
there's a part of that that -- which is P and K.
14
That lives in our AWS environment.
15
was included in these third-party assessments.
10:55 16
Q.
So
That is -- that
And what components of the wallet software
17
are in the Binance Holdings AWS environment that was
18
not included in the SOC report?
10:55 19
20
10:55 21
22
10:55 23
A.
I would consider it the back end of the
software.
Q.
And what does that back end do or how
would you define "back end"?
A.
I would define the back end that that's
24
what actually is the part that interacts with the
25
keys in the chain in the blockchain aspects.
61
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 7
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 6 of 30
10:56
10:56
1
I think just with -- as with any of the
2
third party that we would use, I couldn't tell you
3
exactly what a third-party spec and system were
4
doing.
5
do what we need to do as a business with those assets
6
and we treat it as such.
7
We were told -- we were given the ability to
Q.
Okay.
So just so I understand, the back
8
end is the part that interacts with the keys.
9
what you're saying?
10:56 10
11
A.
end works.
10:56 12
Q.
I couldn't tell you exactly how their back
I couldn't tell you.
But I think you testified previously that
13
the back end interacts with the keys.
14
changing that testimony?
10:56 15
A.
That's
So are you
I would say that there's some interaction
16
with the keys there.
17
back end interacts with the keys, at least to me.
18
yes.
10:57 19
20
10:57 21
22
10:57 23
24
10:57 25
Q.
Okay.
I think it's obvious that the
So
And Binance.US does not have access
to that environment?
A.
No, not -- we don't have access to the AWS
-- to their AWS.
Q.
To the AWS that hosts the component of the
software that interacts with the keys?
A.
Correct.
62
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 8
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 7 of 30
1
Q.
2
environment?
10:57
3
A.
Yes.
10:57
4
Q.
And who has access to that AWS
5
environment?
6
A.
10:57
10:57
7
10:57
8
9
And Binance Holdings, that's their AWS
I wouldn't know.
We're not involved in
their -- in their management of that system.
Q.
So just so I understand, sitting here
today, you don't know who from Binance Holdings has
10
access to the AWS environment that interacts with the
11
keys for the Binance.US wallet software?
10:58 12
A.
Correct.
10:58 13
Q.
And we're going to get into the systems a
14
little bit in more detail, but I'm just trying to get
15
the lay of the land.
10:58 16
10:58 17
18
10:58 19
20
10:58 21
22
A.
Um-hum.
MS. FARER:
Now maybe -- now might be a
good time for a quick break.
MR. BEVILLE:
Yeah.
We've
been going about an hour.
THE VIDEOGRAPHER:
The time is 10:58 a.m.
We are now off the record.
10:58 23
(A break was taken.)
11:11 24
THE VIDEOGRAPHER:
25
That works.
The time is 11:10 a.m.
We are now on the record.
63
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 9
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 8 of 30
12:07
1
2
12:07
12:07
3
Q.
How do you know that someone from Binance
can't do that as well?
A.
You know, we have access to the portal and
4
see which users are in there.
5
know.
6
7
Q.
So to that extent, we
Do you have -- when you say you can see
what users are in there, what do you mean?
8
A.
Okay.
12:07 10
Q.
Do you have visibility into all means of
12:07
11
access for that TSS portal?
12:07 12
A.
As far as I know, yes.
12:07 13
Q.
How are you supposed to gain comfort with
14
12:08 15
that if it all sits in the Binance environment?
A.
Again, this is where we would fall back on
16
the third-party risk assessments, our own security
17
diligence, our conversations.
18
all of our custodial solution partners.
12:08 19
Q.
And it's standard for
So your confirmation that Binance doesn't
20
have access to the TSS portal is confirmation from
21
Binance?
12:08 22
A.
And the third-party reports we saw.
12:08 23
Q.
The third-party reports you're referring
24
12:08 25
to are the SOC 2 and ISO reports?
A.
Correct.
110
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 10
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 9 of 30
12:08
12:08
1
Counsel, we've made a number
2
of requests for production of documents relating to
3
access controls and the infrastructure here.
4
5
12:08
MS. FARER:
MR. BEVILLE:
We can discuss this on a
break.
6
MS. FARER:
Well, I'm going to put it on
7
the record that we would like a copy of those reports
8
given that is how Mr. Kellogg just testified that is
9
part of the way he gets comfort in the level of
10
access from Binance to this portal.
12:09 11
MR. BEVILLE:
Understood.
Do you want to
12
ask Mr. Kellogg about how he's accessed those
13
documents?
12:09 14
MS. FARER:
12:09 15
BY MS. FARER:
I'm happy to ask.
12:09 16
Q.
How have you accessed these documents?
12:09 17
A.
The SOC 2 report and ISO -- well, the SOC
18
2 report was provided to me from BHL, through our
19
standard third-party diligence.
20
chance to review them, that's been revoked and I
21
haven't had a chance to -- I don't have them anymore.
22
I don't have the SOC anymore.
12:09 23
But since I've had a
I can't get it.
In the ISO report we saw the
24
certification, the official certification from the
25
third party.
111
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 11
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 10 of 30
12:09
1
2
12:09
12:10
12:10
Q.
So have you ever had actual possession of
these documents?
3
A.
No.
They've been shared with me from the
4
-- BHL's infrastructure.
5
MR. CANELLOS:
6
"shared," I think, is the question?
7
possession?
8
A.
9
What do you mean by
Is it physical
Is it some other --
No.
So it was like a Google doc link from
their Google environment.
And, you know, they can
10
control -- like you can't -- you know, we couldn't
11
download it.
12:10 12
You know, we couldn't print it.
They had strict controls around what I
13
could actually do with the report besides pull it up
14
and read it on my screen.
15
besides that.
12:10 16
BY MS. FARER:
12:10 17
18
I couldn't do anything
Q.
And why wouldn't they give it to you to
actually like save and have a copy of it?
12:10 19
A.
In my opinion, the potential proprietary
20
information that could get out could -- could cause a
21
security leak if any of that got like -- so it's not
22
uncommon I would say that given the amount of
23
sensitive and secure information that are in these
24
types of reports that you don't necessarily hand them
25
out.
112
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 12
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 11 of 30
12:10
1
2
12:11
3
4
12:11
5
6
12:11
7
8
12:11
I think that that goes case-by-case,
business-by-business decision.
Q.
Is that what was explained to you as to
why you couldn't have the report?
A.
Yes, but I also agreed with that point of
view.
Q.
And what entities are covered by this SOC
report that you saw?
9
A.
10
Technologies.
12:11 11
Q.
So on the name I believe it was Block
And I want to turn to that in a second.
12
But what other third-party vendors that service
13
Binance only provided you a SOC 2 ISO or other
14
security report through a screen share?
12:11 15
MR. BEVILLE:
12:11 16
MR. NELSON:
17
Which entity are you
referring to?
12:11 18
12:11 19
Which Binance --
MS. FARER:
A.
Binance.US.
Well, I would say BitGo has a SOC 2 report
20
that they did provide us, but they don't have any ISO
21
reports.
12:11 22
BY MS. FARER:
12:11 23
Q.
They provided you a copy that you have?
12:12 24
A.
Correct.
25
Fire Blocks gave us a SOC 2
report, but they do not have an ISO report.
And I'm
113
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 13
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 12 of 30
12:12
1
just giving you some examples of the other custodial
2
solutions that we are working with, whether they're
3
implemented yet or not.
4
Q.
I guess I'm just asking a very specific
5
question.
Are any of the other third-party service
6
providers that Binance.US uses -- did any of them say
7
I'm only sharing the SOC 2 report through a screen?
12:12
8
A.
Not that I'm aware of.
12:12
9
Q.
Now, going back to the SOC 2 report that
Not that I can --
10
you saw on the screen, you said it was for Block
11
Technologies?
12:12 12
A.
Yes.
12:12 13
Q.
And what is your understanding of what
14
12:12 15
that company is?
A.
It's my understanding that Block
16
Technologies was acquired by BHL for their wallet --
17
for part or some of their wallet technology and,
18
therefore, was -- that -- that -- that was the same
19
technology as what we have from BHL.
12:12 20
21
Q.
What is the basis of your understanding
that Block Technologies was acquired by BHL?
12:13 22
A.
Conversations with Bob.
12:13 23
Q.
And what is your understanding that -- I
24
12:13 25
guess, let met break this down.
When did this acquisition occur?
114
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 14
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 13 of 30
12:13
1
A.
That, I'm not sure.
I don't know.
12:13
2
Q.
Was there a Binance wallet solution in
3
place before Binance acquired Block Technologies in
4
place for Binance.US?
12:13
5
A.
I don't know.
12:13
6
Q.
So when you say -- I'm just trying to
7
understand when you said the Block Technology (sic)
8
solution was the same that you were using.
9
seems to be -- you were making a distinction between
10
some kind of wallet software.
11
understand.
12:13 12
A.
Well, yes.
There
So I'm just trying to
So my question was the same,
13
why is -- why is -- you know, why is this name on
14
this SOC report and why are you giving it to me when
15
I'm asking for a SOC report for the wallet technology
16
for the wallet services that we're getting from BHL?
17
And they gave that to me with the response that this
18
is the technology that you guys are using.
12:14 19
This is -- this is the technology.
You
20
know, Block was acquired by BHL for -- again, for
21
either parts or -- for some part of the wallet
22
technology, but it was applicable -- definitively
23
applicable to our implementation of BHL's wallet
24
software.
12:14 25
Q.
So sitting here today it is your
115
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 15
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 14 of 30
1
understanding that that SOC 2 report for Block
2
Technologies covers the solution that is provided to
3
Binance.US wallets?
12:14
4
A.
That is my understanding, yes.
12:14
5
Q.
And the basis of that understanding is
6
12:14
7
8
12:14
9
what?
A.
The conversations with Bob and the
relationship with the -- that we built.
Q.
What included in the report gave you the
10
understanding that that report covered what
11
Binance.US was using?
12:15 12
A.
Are you asking how do I know that the
13
auditors were actually auditing our infrastructure
14
versus something else?
12:15 15
Q.
Yes.
12:15 16
A.
I don't have anything to tell you.
12:15 17
Q.
Okay.
12:15 18
MR. BEVILLE:
19
hour.
20
put out a marker.
12:15 21
So we've been going about an
It's getting close to lunch.
MR. NELSON:
I just wanted to
At this point, apparently the
22
audio went out on the WebEx.
23
hosting that, but if you could check it.
12:15 24
MS. FARER:
12:15 25
THE VIDEOGRAPHER:
So I don't know who is
Let's go off the record.
The time is 12:15 p.m.
116
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 16
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 15 of 30
1
any of this.
2
our custody software what -- you know, what's the
3
name of it?
14:11
4
14:11
5
6
14:11
14:11
BY MS. FARER:
Q.
A.
But I mean, new entity in the sense
No.
It was my understanding it was still
going to be a Binance entity -- sorry.
9
Q.
14:11 10
11
Okay.
of this is not Binance Holdings?
7
8
It was more of like as we referred to
Right.
(Simultaneously speaking addressed by
Madam Reporter.
14:11 12
BY MS. FARER:
14:11 13
Q.
So let me ask:
So Binance Holdings is a
14
company, and so I'm saying a separate entity in that
15
CEFFU is a separate company from Binance Holdings.
14:11 16
MR. CANELLOS:
14:11 17
MS. FARER:
14:11 18
MR. CANELLOS:
19
A.
14:12 21
25
That's my question.
Is CEFFU a separate company
I don't know.
BY MS. FARER:
14:12 22
14:12 24
Yes.
from Binance Holdings?
14:12 20
23
Are you asking that?
Q.
What is your understanding of what CEFFU
A.
Right now, I don't know what it is
is?
anymore.
It was my -- at that time it was my
176
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 17
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 16 of 30
1
understanding that it may become a branch of BHL
2
where they commercially sell their services, was my
3
understanding at that time.
4
CEFFU is.
Now I'm not sure what
5
Q.
6
referring to?
14:12
7
A.
So early 20 -- earlier this year.
14:12
8
Q.
And so why has your view changed that you
14:12
9
14:12 10
And at that time what time were you
don't think you know what CEFFU is?
A.
Because I've since then directly asked Bob
11
are we -- do we have a relationship with CEFFU, and
12
he said no.
14:12 13
Q.
So all of the materials including that
14
which was provided to auditors referencing CEFFU
15
being the wallet software provider is -- they are
16
inaccurate?
14:12 17
A.
14:13 18
19
14:13 20
The name is inaccurate.
MR. CANELLOS:
Well, how is the name
inaccurate?
A.
Instead of CEFFU, it should say BHL.
21
Nothing is -- the fundamental technology, people,
22
processes, everything that makes up the BHL wallet
23
services that we use has never change.
24
ever changed on that.
14:13 25
Nothing has
It was simply referring to it -- when I
177
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 18
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 17 of 30
16:43
1
A.
Correct.
Yes.
16:43
2
Q.
And, again, in terms of just the approval
3
process, have there been instances in which any of
4
the shard holders rejected a request?
16:43
5
MR. CANELLOS:
16:43
6
MS. FARER:
7
went to their device.
16:44
8
9
A.
Approval of what?
Approval of a transfer that
Not that I'm aware of, but a -- a -- a
reject (sic) of a certain transaction would not
10
necessarily warrant a security event.
It may just
11
have been, hey, communication between maybe
saying I put the wrong
13
address; don't accept that, or the shard holder
14
accidentally hitting the wrong button.
16:44 15
But as far as I know, nothing has been
16
brought to my attention from a security perspective
17
that someone rejected a request.
258
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 19
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 18 of 30
259
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 20
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 19 of 30
18:40
1
.com (sic) team will notify .US (sic) immediately of
2
any incident related to supporting license
3
technologies or infrastructure" -- and then it goes
4
on.
5
6
18:40
7
But my question is:
Is there such a
process in place?
A.
So -- so we've communicated with them.
8
But if we're talking about incidents -- yeah, so
9
there's a few Slack channels that -- one example
10
would be MBX Slack channel.
11
form BHL that are MBX engineers.
18:41 12
That has a few folks
So if there's an issue that they've
13
identified with a matching engine, they'll reach out
14
to our engineering team through that channel which
15
then they can help work through how to resolve that.
18:41 16
17
18:41 18
19
18:41 20
Q.
Is there a Slack channel devoted to the
wallets?
A.
No.
There is --
Q.
So how do you
communicate with .com relating to the wallets?
A.
So I typically don't.
That would be,
21
again, under -- Frank's team usually is engineering.
22
If it's a security-related event, my team had --
23
there's a way that BHL -- we have a security team to
24
security team channel.
18:41 25
But if it's an incident in the sense of a
311
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 21
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 20 of 30
18:42
1
malfunction or a misconfiguration of the -- one of
2
the -- you know, of a matching engine or maybe a
3
wallet, the matching engine has a dedicated channel.
4
The wallet services, there are a couple of
5
Slack channels dedicated to that.
6
back to you if there's actually any BHL employees in
7
that Slack channel.
18:42
8
18:42
9
Q.
I'd have to get
Okay.
MS. FARER:
And, Counsel, we would put
10
that request on the record for communications with
11
BHL regarding the wallets and we can talk about
12
scope.
18:42 13
We understand you have an objection to our
14
request for communications, but we maintain that this
15
is relevant and this is an opportunity based on
16
information that you all have provided to narrow our
17
request.
18:42 18
19
MR. BEVILLE:
happy to discuss this.
18:42 20
18:42 21
22
18:43 23
This is exactly the -- we're
BY MS. FARER:
Q.
Okay.
And then the last paragraph --
explain to me what this means.
A.
So I am -- I take this as to say that the
24
CEFFU BHL SOC 2 report doesn't cover Bam's AWS
25
infrastructure.
312
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 22
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 21 of 30
18:43
1
2
18:43
3
4
18:43
18:43
5
Q.
Okay.
And at the time when you read the
SOC 2 report, did you understand that it did?
A.
No, which is why I don't really understand
why this statement is here.
Q.
I'm confused.
So when you read the SOC --
6
the SOC 2 report for CEFFU, did you believe that it
7
covered the solution that Binance.US actually uses?
8
9
18:43 10
11
A.
Oh, at the time I was -- yes.
I -- yes.
That was my understanding that it did.
Q.
Okay.
But this paragraph indicates that
it does not?
18:44 12
A.
Right.
18:44 13
Q.
So aside from the SOC 2 report that was
14
shared on screen with you and FGMK, is there some
15
other report that you have received regarding the
16
security for the controls for CEFFU?
18:44 17
A.
No.
18:44 18
Q.
So how in your role as chief information
19
security officer do you have comfort in the security
20
of those assets?
18:44 21
A.
So it's my understanding that it's still
22
the same technology, same text stack.
23
nothing is different except for the environment that
24
it's hosted in.
18:44 25
Same --
And due to the fact that once we clear the
313
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 23
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 22 of 30
1
air that it -- that it -- once we got the
2
understanding that it wasn't, we were in discussions
3
with BHL for them to conduct a new SOC report on
4
specifically our environment, which they initially
5
agreed to.
18:45
6
Q.
When did that conversation occur?
18:45
7
A.
Either late last year or earlier this
8
18:45
9
year.
I don't remember the exact time.
Q.
And you said Binance.com initially agreed
10
to have your wallet software be reviewed for under
11
SOC 2?
18:45 12
A.
By a third party, yes.
18:45 13
Q.
And when you say initially agreed, has
14
18:45 15
that decision changed?
A.
Yeah.
Well, I haven't been told it's not
16
going to happen, but it -- we haven't made any
17
progress on that.
18:45 18
19
18:45 20
Q.
And why have you not made any progress on
that?
A.
I think -- I don't know.
I can't speak to
21
why the communications are slowed down on the -- on
22
the BHL side, but that's a big part of it.
18:45 23
Q.
What progress was made when you were under
24
the impression that this SOC 2 report was going to --
25
or the SOC 2 assessment was going to occur?
314
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 24
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 23 of 30
18:46
18:46
1
A.
Identifying which third-party assessors we
2
-- you know, we would consider going in for that.
3
it was a collaborative discussion, okay, recognize
4
that we need a SOC 2 report or some kind of security
5
report done specifically on our environment, our
6
implementation of the custody software.
7
And then it was already -- which they
8
initially agreed to, and then we were at the stage
9
of, okay, which vendors are they comfortable with,
10
So
you know, and that we are both comfortable with.
18:46 11
Q.
And was a vendor selected?
18:46 12
A.
We -- we didn't get that far.
18:46 13
Q.
Who were you talking to from Binance.com
14
about this issue?
18:46 15
A.
Bob again.
18:46 16
Q.
And when was the last time that you had a
17
communication with Bob about this issue?
18:46 18
A.
I don't remember.
18:46 19
Q.
Based on how these conversations have
I don't remember.
20
progressed, do you believe that a SOC 2 report for
21
the wallet software that Binance.US uses is going to
22
occur?
18:47 23
A.
I don't have reason to think it's not
24
going to occur.
Our discussions was while it -- my
25
opinion is it didn't have to be a SOC 2 report.
315
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 25
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 24 of 30
18:47
18:47
1
It just had to be some third-party
2
security based assessment, whether that's office
3
security, penetration testing, or an actual
4
formalized SOC 2 or ISO.
5
like they agreed, yeah.
6
forward with that.
7
Q.
So the general consensus
They were happy to move
And -- I'm sorry.
8
you.
9
with them about this?
Maybe I didn't hear
When was the last time you had a conversation
18:47 10
A.
I want to say it was earlier this year.
18:47 11
Q.
Okay.
12
18:48 13
So like January? February?
What
month are we talking about here?
A.
The initial discussions came up sometime
14
in Q1, and I think we were continuing to discuss
15
periodically over the following months.
18:48 16
17
Q.
Have you followed up and pressed on the
status of this report?
18:48 18
A.
No, not recently.
18:48 19
Q.
And why not?
18:48 20
A.
Like I said, you know, communication
21
requests have slowed down.
So I don't know if
22
they're trying to identify a better point of contact
23
for us to have for these kind of things or -- you
24
know, while I have -- you know, while -- while it's
25
been great to have Bob as a single point of contact,
316
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 26
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 25 of 30
18:48
18:48
1
I've also asked if we can get more of a formal
2
contact tree (sic) in place, you know, for support
3
issues.
4
And so I don't know if while they work
5
through all of that they're trying to decide maybe
6
who should be in that role.
7
gotten a lot of feedback from their side on this yet.
8
9
10
Q.
18:49 13
And when you've tried to find an
alternative point of contact, who have you inquired
about that with -- that was poorly worded.
18:49 11
12
So, again, I haven't
Who have you asked for an additional point
of contact?
A.
So really Bob has been my only point of
14
contact.
15
him, which, again, I think he recognizes the problem
16
-- or not a problem, but as kind of a bottleneck in
17
our request and moving things along.
18
don't know what kind of progress he's made on his
19
side for that.
18:49 20
21
Q.
So for me making requests, they go through
But I just
So you've asked Bob for an additional
point of contact?
18:49 22
A.
Right.
18:49 23
Q.
Have you elevated this up within
24
18:49 25
Binance.US?
A.
Within Binance.US?
317
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 27
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 26 of 30
18:49
1
To try and find an avenue to move forward
2
with getting a third-party security assessment for
3
your wallet service provider that holds the majority
4
of crypto assets for .US?
18:49
5
18:49
6
7
18:50
Q.
A.
So yeah -MR. CANELLOS:
Excuse me.
majority of assets?
8
MS. FARER:
9
holds the majority of the assets.
10
testified to that.
11
characterization?
18:50 12
13
Mr. Kellogg
Is that an incorrect
You mean they provide the
software for the wallets?
MS. FARER:
Again, I ask for no speaking
objections.
18:50 16
17
Binance.com is the wallet who
MR. CANELLOS:
18:50 14
15
Who holds the
MR. CANELLOS:
Well, then I'm objecting to
your mischaracterization of the witness's testimony.
18:50 18
BY MS. FARER:
18:50 19
Q.
You can answer.
18:50 20
A.
So I would say as a critical software
21
vendor for our custodial processes that I think I
22
would love to have more structure around our
23
communication, you know, tree (sic) and a bit more
24
formalized structure around them as a -- as a third
25
party.
318
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 28
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 27 of 30
18:50
18:51
18:51
1
Q.
So as it (sic) sits here today, you have
2
-- you don't have insight into the environment that
3
hosts the technology for the security of the
4
background -- of the back end.
5
You don't have a third-party assessment
6
that evaluates the security of CEFFU, and you've
7
replied upon a questionnaire prepared by Binance
8
regarding the information of security?
9
I'm just trying to get an understanding of
10
the different pieces of information that you're
11
looking at.
18:51 12
MR. BEVILLE:
So I'm going to object to
13
the extent that mischaracterizes some of what Erik
14
says.
18:51 15
18:51 16
But please answer.
A.
So Binance did not create our security
17
questionnaire.
Me and my team created the
18
questionnaire.
We took input from various custodial
19
solution partners as well -- Binance, you know, had
20
some chance to -- to overview that with us, but they
21
did not create that.
22
questionnaires.
18:51 23
18:51 24
25
That was ours.
That was Bam's
BY MS. FARER:
Q.
Sorry.
To clarify, their response to your
questionnaire?
319
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 29
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 28 of 30
18:51
18:52
1
A.
Right.
So, yes.
So, additionally,
2
conversations that, you know -- again, once I was --
3
it was made clear that that was not our instance
4
(sic) of the technology, conversations led to, well,
5
what is different between what I see in the SOC
6
report and our -- and our implementation.
7
The answer was nothing is different.
So
8
we're taking that -- those conversations.
9
course, the subsequent conversations dive into more
10
detail specifics about that.
11
their word for it.
And of
It's not just take
18:52 12
As a security professional, I feel like I
13
know where certain topics need to be dug into versus
14
what -- what's -- what's realistic versus what's not.
18:52 15
And then, again, our internal control
16
systems and testing that we've done that we're able
17
to do, as well as the fact that we haven't found any
18
historical evidence of anything not functioning as we
19
were told, as we were presented.
18:52 20
Q.
Okay.
And who did you have those
21
conversations with about the difference between the
22
SOC 2 report and the solution you all have from
23
Binance.com?
18:53 24
A.
Again, that was Bob.
18:53 25
Q.
Okay.
I'm going to show you -320
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 30
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 29 of 30
1
19:32
2
3
it's no longer working.
Q.
And why was
the
person who had the shards?
19:32
4
A.
I don't know.
19:33
5
Q.
And why was
19:33
6
A.
I don't know that either.
19:33
7
Q.
How did you coordinate picking up the
8
19:33
9
shards
?
?
A.
It was through --
10
and I -- I was given
information.
19:33 11
Q.
From who?
19:33 12
A.
I believe maybe
19:33 13
Q.
19:33 14
A.
-I don't specifically remember.
It was
15
somebody -- it was a Bam employee.
I just don't
16
specifically remember if it was -- I believe it might
17
have been
18
understand it, he's the one that has -- he has a --
19
he has a communication -- he's able to -- I don't
20
know -- to get communication with
the one that's -- as I
that is basically supporting our instance
22
from the operational side.
19:34 23
And so we kind of view
as like the BHL
24
support person for our wallet operations support, if
25
needed.
342
GRADILLAS COURT REPORTERS
(424) 239-2800
PDF Page 31
Case 1:23-cv-01599-ABJ-ZMF Document 141-10 Filed 10/03/23 Page 30 of 30
19:34
1
Q.
19:34
2
A.
?
Yes.
That's how I understand it.
I've
3
never -- I don't have any direct exposure to see any
4
communications with anybody.
5
from conversations.
I mean, this is just
19:34
6
Q.
Conversations with whom?
19:34
7
A.
With
19:34
8
Q.
So I thought we talked about earlier that
9
19:34 10
your point of contact for the wallets was
A.
?
Well, that is for the security and
11
technology and -- of the -- of the -- of the -- of
12
the wallets -- like the wallet system back end.
19:34 13
Q.
Okay.
So the role that
plays with the wallets is what?
19:34 15
A.
16
a role.
17
has requests that may affect our -- our shard
18
operations that -- that
19
would go to --
19:35 20
Q.
I don't know.
I wouldn't even say
All I know is that at times
has
may -- if
was the person that they
would go to in the past.
And how much in the recent past?
Like
21
when did that cut off, when the shards were delivered
22
to you?
19:35 23
A.
I don't know -- I don't really know if
24
this was really a -- like I said, I've never actually
25
seen anything that would say that they've had any
343
GRADILLAS COURT REPORTERS
(424) 239-2800