How crypto developers faked Solana’s DeFi ecosystem

    17 Aug 2022
    667 Views

    The Macalinao brothers used a web of bogus identities to create the illusion of a dev community, juicing value on the Saber protocol and Solana blockchain. Now they’re moving to Aptos. An investigation by Danny Nelson and Tracy Wang published on CoinDesk.

    Something about Sunny Aggregator felt off-kilter to the cryptocurrency user known as Saint Eclectic.

    Sunny was the newest decentralized finance (DeFi) app to hit Solana during that blockchain’s scorching bull run last summer, when its native token jumped fivefold. Sunny was barely two weeks old by early September, but billions of dollars in crypto were flooding this yield farm.

    Still, Saint and others had questions: Who was behind Sunny? Why was its developer, one “Surya Khosla,” pseudonymous? Was its codebase audited? Would users’ cash be safe?

    “There was no indication of who Surya was,” Saint recalled recently, “so many users didn’t feel comfortable” putting their crypto in.

    Their suspicions proved prescient.

    CoinDesk has learned who Surya was: Ian Macalinao, the chief architect of Saber, a stablecoin exchange built on top of Solana. In turn, he built Sunny Aggregator on top of Saber.

    And that’s just the top of the pile.

    Coding as 11 purportedly independent developers, Ian, a 20-something computer wiz from Texas, created a vast web of interlocking DeFi protocols that projected billions of dollars of double-counted value onto the Saber ecosystem. That temporarily inflated the total value locked (TVL) on Solana, as the network was racing toward its zenith last November. The DeFi faithful regard TVL as a barometer for on-chain activity.

    “I devised a scheme to maximize Solana’s TVL: I would build protocols that stack on top of each other, such that a dollar could be counted several times,” Ian wrote in a never-published blog post reviewed by CoinDesk. The blog post was prepared on March 26, three days after Cashio, one of Ian’s secretly built protocols, lost $52 million in a hack.

    Two close to the matter confirmed the draft’s authenticity.

    Peak value

    Ian’s ploy worked for a while. By his count, Saber and Sunny comprised $7.5 billion of Solana’s $10.5 billion TVL at their peak. (Billions of those dollars were double-counted between his two protocols.)

    “I believe it contributed to the dramatic rise of SOL,” Ian wrote of a time when Solana’s native currency traded at $188.

    Solana network’s TVL continued to swell even after the Saber ecosystem began losing steam in mid-September 2021, topping at $15 billion around Nov. 9, according to data provider DeFiLlama, while Saber’s TVL had by then dropped 64%.

    Ian wrote he disdained this “vanity metric”; nonetheless, “it bothered me that Ethereum TVL was so much higher” than Solana’s, because in his view, DeFi projects on Ethereum – the largest blockchain for DeFi – are “stacked” to double-count deposits.

    “I wanted to create a system very similar to this,” he wrote. One problem: “If the same team built each protocol, TVL would be more silly as a metric. Thus I created more anonymous profiles,” he wrote.

    Ian wore 11 masks.

    In public, Ian and his brother Dylan called their anonymous personas “friends,” or “friends of friends.” Their “Ship Capital” coder club was laying the “blueprints for my ideal DeFi ecosystem,” Ian wrote in the unpublished blog. Saber and its so-called liquidity provider (LP) tokens anchored everything.

    “If an ecosystem is all built by a few people, it does not look as authentic,” Ian wrote in his blog post. “I wanted to make it look like a lot of people were building on our protocol, rather than ship 20+ disjoint[ed] programs as one person.”

    The Macalinaos wanted other crypto protocols to become so dependent on Saber that “its failure would lead to the entire system going down,” as Dylan phrased it on Oct. 1, 2021. “Btw this is the 200 IQ [Saber Labs] strategy, but few understand…”

    The Macalinao brothers offered no comment by press time.

    A ‘Sybil attack’

    There are valid reasons to seek shelter in pseudonyms. Ian’s weaponized “anons,” however, mounted something akin to a “Sybil attack” abusing crypto users’ trust. (A Sybil attack is when a computer in a network uses bogus identities to gain disproportionate influence over the whole.)

    “I am revealing this because it is inevitable that I will be found out,” Ian wrote in his never-published blog.

    Instead, the Macalinaos in May published “Saber Public Goods” to propagate the “Saber team’s” prolific code across Solana. Eight of Ian’s 11 secret projects appear there. Their disclosure is mum on the anons and their master. Sunny and Cashio, whose tokens imploded, don’t show up, either.

    ‘My army of anons’

    Surya Khosla was Ian’s moniker when building Sunny Aggregator. Surya popped onto Twitter in August 2021. Saint Eclectic, the Sunny skeptic, hesitated to deposit his LP tokens in the work of this mysterious character, an anon with an artificial intelligence-generated face.

    One factor swung in Surya’s favor: The Ian puppet claimed to know brother Dylan “pretty well in real life.” On Sept. 9 of last year, Dylan Macalinao tweeted he “felt comfortable” putting his own crypto into Sunny Aggregator. “We audited their code,” Dylan, who is in his early 20s, said.

    Dylan lent Surya the credibility he needed to win over skeptics like Saint.

    The problem was, the lead developer, “Surya Khosla,” didn’t exist. Dylan’s brother Ian built Sunny Aggregator. Ian had made Surya up.

    It was Ian’s first dalliance with assumed identities for Saber – and far from his last.

    Ian wrote in March 2022 that he had created 11 ”anonymous founders that are actually me.”

    Ship Capital had many “friends”: 0xGhostchain, who created Cashio; Goki Rajesh, builder of multi-signature wallet Goki; Larry Jarry from mining rewards aggregator Quarry; Swaglioni, the “grandmaster” of governance platform TribecaDAO; and, of course, Surya Khosla from Sunny Aggregator, Saber’s yield farm.

    These DeFi Lego bricks were the jewels of the Saber ecosystem. Lesser-known protocols Crate (run by kiwipepper), aSOL (0xAurelion), Arrow (oliver_code) Traction.Market (0xIsaacNewton), Sencha (jjmatcha) and Venko App (ayyakovenko), rounded out the crown, according to Ian’s blog. He admitted to creating the lot.

    Pump it

    Ian, Dylan and the puppet anons promoted Ship Capital’s work incessantly on social media.

    They shilled their counterparts’ launches and integrations, praised their brethren’s thinkfluencer tweets, credited each other for inspiring them to build on Solana. They even circulated Ian’s self-referential memes.

    Sometimes they waxed philosophical. When on Dec. 29 prolific Solana developer Armani Ferrante (a real person) tweeted, “If you’re not making mistakes you’re too slow,” five Ian stooges responded in four minutes:

    (One of Ian Macalinao’s experiments quotes its master on Twitter.)

    “As @simplyianm likes to say… it’s an experiment!” declared @_kiwipepper – “herself” one of them.

    Others danced around the truth. “Team size =! Success,” Ian tweeted on Dec. 7, 2021. “I would pay @larrinator01 and @0xGoki 10x market rate in a heartbeat. Not that they need my money…” (Ian’s Goki and Larry personas cheered).

    Ian’s anons were cheeky when outsiders challenged their legitimacy.

    “I’m no puppet,” Surya Khosla asserted on Nov. 25. In early January he joked of “doxxing myself” to another developer as a reward for building atop Sunny; Ian’s creation even tweeted a photo that purported to show himself visiting the Macalinao brothers in Los Angeles.

    It’s impossible to know whether Ian puppeteered his anons’ Twitters after springing them from his workbench. But two people who have worked with Ship Capital recalled the inexplicable behavior of its crew. One persona’s Telegram account would come online after another logged off.

    Regardless, Ian admits in the unpublished draft to pulling their strings where it mattered most: the codebases.

    “If you are a developer, it is very easy to find out which open source protocols were written by me: there is always a ‘flake.nix’ file that only I use.”

    CoinDesk verified that many of the projects described in Ian’s blog contained the “flake.nix” file.

    #CashioRulesEverythingAroundMe

    To understand how the “army of anons” pumped double-counted value into Saber, 0xGhostchain’s Cashio project offers a compelling view.

    Unveiled last November near the crypto market peak, Cashio’s CASH was billed as a “decentralized stablecoin” whose dollar-pegged cryptocurrencies were backed by “liquidity provider” tokens. (LP tokens are a type of crypto asset that holders “stake” to earn extra yield. DeFi protocols issue them to users whose loaned tokens keep trades moving smoothly.)

    Cashio accepted only LP tokens from Saber as collateral. That wasn’t overly strange last November, when Saber, an “automated market maker” with over $1 billion in TVL, was a major DeFi trading venue for stablecoin pairs on Solana. (Saber’s current TVL is $90.6 million.)

    Cashio relied on Saber ecosystem projects created by Ian’s anons to generate yield.

    It first packaged Saber LP tokens into “tokenized baskets” using Crate, which Ian built under the pseudonym “kiwipepper.” It sent those “crates” through a yield redirection platform called Arrow – Ian built this as “oliver_code.” Finally, Cashio said it earned yield by staking these deposit derivatives in “Surya’s” Sunny Aggregator as well as Quarry, which Ian built as “Larry Jarry.” Profits flowed to Cashio’s treasury, managed by a decentralized autonomous organization (DAO).

    Confused? Cashio’s customers were. CoinDesk asked two high-profile users of Cashio to explain the app’s convoluted process; neither could. The app’s “about” page didn’t help much, either.

    (Chart a deleted user made in Cashio’s Discord server on Feb. 19)

    What users cared about was this: Cashio’s DeFi machine accepted their Saber LP tokens and spat out CASH tokens.

    It was a lucrative trade. CASH holders could deposit their LP-backed stablecoins into Sunny liquidity pools and earn returns of 10%-30%. Had they deposited Saber LP tokens into Sunny instead of Cashio, they would get just 5%-10%, one trader said. It didn’t matter that the same crypto asset was behind both.

    Such is the logic of DeFi money Legos.

    Ramming deposits from Saber-to-Cashio-to-Crate-to-Arrow-to-Sunny-or-Quarry had even bigger implications for Saber. According to Ian, it turned $1 of apparent TVL into $6. Many DeFi projects measure their worth by touting total user deposits: TVL.

    “TVL can only count if protocols are built separately,” Ian wrote, explaining why his anons’ protocols appeared to be separately built.

    According to TVL tracker DeFiLlama, Saber’s deposits peaked at $4.15 billion on Sept. 11 2021; its flagship SBR token had topped out at 90 cents days earlier. Sunny Aggregator’s TVL also peaked on Sept. 11, at $3.4 billion. Its SUNNY token had flirted with an all-time-high of 18 cents one day before.

    Both tokens have plummeted 99%, according to data provider CoinGecko. Saber’s and Sunny’s TVL hardly fared better as they have both dropped by over 96%.

    Fallen angels

    Cashio’s March 23 implosion from a $52 million hack was a broadside against Ship Capital.

    Ian said in the unpublished blog that he “pushed very hard for people to stake more into Cashio,” because he wrote its code. He apologized for their “catastrophic” losses in a protocol that he created using a pseudonym and endorsed under his true identity.

    In the unpublished post, Ian begged the hacker – a self-styled Robin Hood-type who railed against American and European fat cats – “to consider returning the funds.” The hacker later did return $14 million of the $39 million that hack victims requested.

    Ian wrote that if the hacker didn’t pay users back in full, “I will do what I can to repay affected personal users in my personal Saber and Sunny tokens. This won’t cover the full amount, but it’s all I have to offer.” He never made good on that unpublished pledge.

    ‘A barrier for criticism’

    Pseudonymity is widespread in crypto, and not in itself evidence of wrongdoing. Thirteen years after bitcoin’s debut, the true identity of its creator, Satoshi Nakamoto, remains unknown. Yet even after a recent brutal sell-off, the bellwether cryptocurrency boasts a $442 billion market capitalization.

    Ian, however, wanted “a barrier for criticism,” according to the unpublished post:

    “I only want to focus on building and creating value in my perception of what I believe is the best way of doing things. I do not want to deal with excessive criticism before my ideas are fully brought to market, and being anonymous is an easy way to distance myself (and the protocols I work on) from this.”

    Ian’s arrival in Solanaland in October 2020, according to Discord server logs, was hardly the self-proclaimed “shipooor’s” first code rodeo. His GitHub commit history stretches back over a decade, with the first public crypto contribution, on an EOS project, in late 2017.

    In early January 2021, Ian discussed the tokenomics of what he considered (rightly, it turned out) as a doomed-to-depeg stablecoin in the Discord for Basis.Cash. There, he became “obsessed” with building decentralized money.

    Somewhere along the way, he tried and failed to “build a multiprotocol DeFi ecosystem” that ended “in criticism and ridicule,” Ian’s post said. “Moving to Solana was a way for me to reset that.”

    Public statements

    Who were these anonymous builders flocking to Saber? Ian grappled with the question at last year’s Solana conference in Lisbon, Portugal, during a panel called “From Zero to $2 Billion: How Saber Became the Biggest DeFi App on Solana.”

    “We brought in some friends to basically build on top of Saber and just grow out the ecosystem,” Ian told Chris McCann of Race Capital, Saber’s biggest venture capital backer.

    One “friend’s” project was Sunny; Crate, the tokenized basket-making protocol from Ian’s alias kiwipepper, was another.

    “But that person also has, like a lot of friends that they know,” Ian told the audience. One of those friends-of-friends built Cashio, a stablecoin project backed by Saber LP tokens that fed liquidity into Sunny Aggregator, he claimed.

    “We could promote [CASH] to get more liquidity into Saber,” he said on stage.

    In a brief interview with CoinDesk Thursday, McCann said he was unaware of Ian’s intimate connection to Cashio.

    “He’s always mentioned that there is somebody else that created it, but I do not know who the somebody else is nor have I met them.”

    Ian’s unpublished blog reveals Cashio’s true origin. Coding as 0xGhostchain, Ian rushed to complete an exemplar of Saber LP-backed stablecoins in time for Breakpoint, the Solana ecosystem’s biggest-ever gathering of fellow developers. Ian wanted others to copy Cashio, he wrote. Each protocol that parroted its dependence on Saber LP tokens would become a liquidity spigot gushing yet more TVL into the $1.7 billion mothership.

    “This is part of why the code was insecure, it was rushed for this deadline,” he wrote on March 26, after a hacker had spoofed Cashio’s unaudited smart contracts with fake collateral, draining it of $52 million.

    Cashio’s Discord community – where passionate users roam – likely believed the CASH code was safe. After all, Ian told them on Nov. 23: “I personally audited” it. He pitched a similar yarn to crypto Twitter on March 23, the day of the exploit: “I did not audit Cashio as closely as I should have.”

    Both statements contradict what Ian wrote in his unpublished letter:

    “I didn’t get anyone else to look at the code, including an auditor. I should not have done this.”

    (A reply to a tweet by Ian Macalinao…)

    (…that he later deleted.)

    Moving on

    “It was always the goal to eventually have real people building projects,” Ian wrote in the unpublished blog.

    On July 23, the brothers started wooing external developers to Saber with a “DAO accelerator program.” Its application form asks: “How will your protocol deeply integrate with the Saber Protocol thereby increasing Saber’s volume/TVL/capital efficiency?”

    That effort comes as the brothers cast off from Solana for Aptos, an up-and-coming blockchain – porting Saber with them. Many Solana developers are in tow, a venture capital source said. The Macalinaos are betting on it: they helm a VC that’s anchored in Aptos, three sources said. Their VC is called Protagonist. Its old name was “Ship Capital.”

    Seven Saber ecosystem users told CoinDesk they felt abandoned by the Macalinao brothers. Some lost money in CASH tokens (the erstwhile stablecoin went to zero). Others say their crypto is stuck in derivative tokens issued by Sunny. One pseudonymous user, Brad_Garlic_Bread, said he lost around $300,000 across Sunny and Saber – “there’s a lot of people worse off than me.”

    The community assumes Ian is running the show “but no one knows for sure,” Brad_Garlic_Bread said.

    He’s still trying to get Ian’s attention. On July 16, Brad asked if Ian “can pretend to be Surya for like a day” to help Sunny Aggregator’s investors recover locked tokens. Ian was answering questions in the Saber Discord; he skipped Brad’s.

    Other SUNNY token-holders asked Ian for clues about the yield aggregator’s future. Saber is moving to Aptos – will Sunny do the same? They asked what became of Sunny’s lead developer.

    “The main sunny dev got burned out after losing most of their savings from the Cashio hack,” Ian said on July 16. He said he would “encourage” this disenchanted dev to rebuild Sunny in Move, a coding language Ian says is safer than Solana’s Rust for building multi-million-dollar protocols.

    One week later, Ian said the Sunny dev felt rejuvenated after giving Move a go.

    “‘Feels like early Solana all over again.’”

    Pics Source: CoinDesk

    Leave a Reply

    Your email address will not be published. Required fields are marked *