Here’s the story of how a developer faked an entire DeFi Ecosystem

• Here’s a look into how a Solana-based DeFi app inflated the total value locked through double-counted value.
• Complete details of how Ian Macalinao and his brother pulled off an entire suspicious DeFi ecosystem behind Cashio.

During the bulls market of the 2021 summer, decentralized finance (DeFi) application Sunny launched on the Solana blockchain network with its native token skyrocketing instantly. Within two weeks of launch, billions of dollars were already flowing into this yield farm.

However, questions remained pertaining to the DeFi app Sunny’s pseudonymous developer “Surya Khosla”. As per CoinDesk’s investigation, Ian Macalinao, the chief architect of Solana-based stablecoin Saber was the real person behind the pseudonymous identity. He had built the Sunny Aggregator DeFi app atop Saber.

The 20-year-old Ian Macalinao worked as the single brain behind 11 purportedly independent developers. Furthermore, he created a large web of DeFi protocols to project that billions of dollars in double-counted value were flowing into the Saber ecosystem.

This literally inflated the total-value-locked (TVL) on the Solana blockchain network. TVL serves as a major barometer for representing on-chain activity in the DeFi space. In a never-published purported blog post written on March 26, Ian wrote:

I devised a scheme to maximize Solana’s TVL: I would build protocols that stack on top of each other, such that a dollar could be counted several times.

CoinDesk has confirmed the authenticity of the blog post from people familiar with the matter. Ian’s ploy also worked for a while with Sunny and Saber alone contributing 75 percent of Solana’s $10.5 billion TVL at their peak. During this period, Sollana native crypto SOL was trading at $188. “I believe it contributed to the dramatic rise of SOL,” wrote Ian.

How Did Ian Pull This off?

Although Ian believed TVL to be a vanity metric, he said that it always bothered him why Ethereum’s TVL was so high. He believed that DeFi projects on Ethereum are “stacked” to double-count deposits. Ian wrote: “I wanted to create a system very similar to this. If the same team built each protocol, TVL would be more silly as a metric. Thus I created more anonymous profiles”.

In the unpublished blog post, Ian wrote that he and his developer brother took the help of several friends. Their own coder club dubbed “Ship Capital” was laying the “blueprints for my ideal DeFi ecosystem”. On the other hand, Saber and its liquidity provider tokens anchored everything. In his blog post, Ian wrote:

If an ecosystem is all built by a few people, it does not look as authentic. I wanted to make it look like a lot of people were building on our protocol, rather than ship 20+ disjoint[ed]programs as one person.

Ian and Dylan Macalinaos wanted other protocols to become so much dependent on Saber that “its failure would lead to the entire system going down”.

Hiding behind his pseudonymous identity, Ian and his anons conducted something similar to a “Sybil attack”. This is a kind of attack where a computer uses bogus identities to gain disproportionate influence. “I am revealing this because it is inevitable that I will be found out,” wrote Ian.

Ian’s Army of Anons

As the CoinDesk investigation explains, Ian popped on Twitter in August 2021 with his pseudonymous identity as Surya Khosla. Cryptocurrency user known as Saint Eclectic said that he felt hesitant to put his money.

However, Ian’s (Surya Khosla) reputation-building measures turned in favor of him. In September, Ian’s brother Dylan Macalinao tweeted that he knew Surya pretty well in real life. He also tweeted that he felt comfortable with putting his own money in the Sunny Aggregator. Dylan wrote:

Have chatted with team and we audited their code. Obviously still risks like any DeFi project, but I feel comfortable staking my own crypto in their project.

Dylan lent credibility to Surya Khosla who didn’t exist to win over skeptics. Earlier in March 2022, Ian said he created 11 ”anonymous founders that are actually me”. As CoinDesk explains:

Ship Capital had many “friends”: 0xGhostchain, who created Cashio; Goki Rajesh, builder of multi-signature wallet Goki; Larry Jarry from mining rewards aggregator Quarry; Swaglioni, the “grandmaster” of governance platform TribecaDAO; and of course Surya Khosla from Sunny Aggregator, Saber’s yield farm.

These DeFi players served as jewels of the Saber ecosystem. Ian has himself admitted to creating this entire lot. Ian, Dylan, and their army of Anons strongly promoted Ship Capital’s work on social media.

Apart from crediting each other in the public eye, Ian and Dylan literally shilled their counterparts’ launches and integrations. Later on December 7, 2021, Ian tweeted: “Team size =! Success. I would pay @larrinator01 and @0xGoki 10x market rate in a heartbeat. Not that they need my mon”.

It is quite impossible to know how Ian managed to pull off the identities of his team of anons. In his unpublished blog post, Ian admitted to pulling their strings when it mattered the most. “If you are a developer, it is very easy to find out which open source protocols were written by me: there is always a ‘flake.nix’ file that only I use,” he wrote.

A better understanding of Ian’s actions

To understand how Ian’s “army of anons” pumped the double-counted value into Saber, let’s take a look into 0xGhostchain’s Cashio project. Unveiled during the crypto market peak of November 2021, Cashio unveiled its “decentralized stablecoin” CASH whose dollar-pegged cryptocurrencies were pegged by “liquidity provider” tokens.

LPs are nothing but a type of crypto asset staked by holders to earn extra yields. Interestingly, Cashio accepted LP tokens only from Saber, in form of collaterals. Back in November, Saber functioned like an “automated market maker” with over $1 billion in total value locked. It also served as a major DeFi trading venue for stablecoin pairs on Solana.

To generate yields, Cashio relied on Saber ecosystem projects created by Ian and his dummy teams. As CoinDesk explains:

It first packaged Saber LP tokens into “tokenized baskets” using Crate, which Ian built under the pseudonym “kiwipepper.” It sent those “crates” through a yield redirection platform called Arrow – Ian built this as “oliver_code.”

Finally, Cashio said it earned yield by staking these deposit derivatives in “Surya’s” Sunny Aggregator as well as Quarry, which Ian built as “Larry Jarry.” Profits flowed to Cashio’s treasury, managed by a decentralized autonomous organization (DAO).

For many users, Cashio accepting the Saber LP tokens in return of the CASH tokens, was a lucrative trade. This is because CASH holders could further deposit their LP-backed stablecoins into Sunny liquidity pools and earn 10-30% returns on it.

Instead, had they depsotied the Saber LP tokens into Sunny, they would have earned only 5-10% returns. As per CoinDesk report, users were just ramming deposits from Saber-to-Cashio-to-Crate-to-Arrow-to-Sunny-or-Quarry. As per Ian, this process turned $1 of total-value-locked into $6. “TVL can only count if protocols are built separately,” he said as a reason behind why all of these protocols appeared to be built separately.

By mid-September, Saber’s deposits peaked at $4.15 billion. Similarly, the total value locked on Sunny’s Aggregator app at $3.4 billion. During this period both the native tokens SBR and SUNNY were trading at their all-time highs. However, since then, both the tokens have plummeted by more than 95%.

Massive investors’ losses

The implosion of Cashipo earlier in March 2022 led to a $52 million loss of investors’ funds. In his unpublished blog, Ian has apologized for the “catastrophic” loss and said that he “pushed very hard for people to stake more into Cashio”. He also begged the hacker “to consider returning the funds”. However, the hacker released $14 million upon the request of the hacked victims.

Ian also wrote that if the hacker doesn’t pay back in full, “I will do what I can to repay affected personal users in my personal Saber and Sunny tokens. This won’t cover the full amount, but it’s all I have to offer.”