Investigation: How a developer forged 11 identities DeFi faked how to promote the SOL bull market and now targets Aptos

Posted by Danny Nelson Tracy Wang via Coindesk

To a cryptocurrency user known as Saint Eclectic, something about Sunny Aggregator seems out of place.

Sunny is the latest decentralized finance (DeFi) app to rush to Solana during the blockchain’s red-hot bull run last summer, when its native token rallied fivefold. By early September, Sunny was less than two weeks old when it went live, but billions of dollars in cryptocurrency flooded the yield farm.

Still, Saint and others have questions: Who is behind Sunny? Why is its developer “Surya Khosla” a pseudonym? Is its codebase audited? Is the user’s cash safe?

“There was no indication of who Surya was,” Saint recalled recently, “so many users “would feel uncomfortable” putting their cryptocurrencies in.

Their suspicions proved prescient.

CoinDesk learned who Surya is: Ian Macalinao, chief architect of Sabre, a stablecoin exchange built on Solana. In turn, he built Sunny Aggregator on top of Saber.

This is just the top of the tower.

Ian, a computer expert in his 20s from Texas, masqueraded as 11 purportedly independent developers to code to create a vast network of on-chain DeFi protocols, projecting billions of dollars in double-counting value onto Sabre in the ecosystem. This temporarily inflates Solana’s total value locked (TVL) , as the network was heading towards its peak last November. DeFi loyalists see TVL as a barometer of on-chain activity.

“I devised a scheme that maximizes Solana’s TVL: I will build protocols that stack on top of each other so a dollar can be counted multiple times,” Ian wrote in an unpublished blog post reviewed by CoinDesk. This blog post was prepared on March 26, three days after Cashio, one of Ian’s secretly built protocols, lost $52 million in a hack.

People close to the matter confirmed the authenticity of the draft.


Ian’s strategy worked for a while. According to his tally, Sabre and Sunny account for $7.5 billion of Solana’s $10.5 billion TVL . (Billions of dollars are double-counted between his two agreements.)

“ I believe it contributed to the sharp rise in the price of SOL , ” Ian wrote of Solana’s native token reaching $188.

According to data provider DeFiLlama, even as the Sabre ecosystem starts to lose steam in mid-September 2021, the Solana network’s TVL continued to balloon, reaching $15 billion around November 9, while Sabre’s TVL had fallen by then 64%.

Ian writes that he despises such “vanity metrics”; nonetheless, “it bothers me that Ethereum TVL is much higher than Solana” because, in his opinion, DeFi projects on Ethereum – DeFi’s largest block Chains – are also “stacked” on top of each other repeatedly.

“I wanted to create a system very similar to this,” he wrote. One question: ” TVL would be even more stupid as a metric if the same team built every protocol . So I created more anonymous profiles,” he wrote.

Ian disguised as 11 people wearing a mask.

In public, Ian and his brother Dylan refer to their anonymous characters as “friends” or “friends of friends”. In an unpublished blog, Ian wrote that their “Ship Capital” coding club is working on “a blueprint for my ideal DeFi ecosystem.” Sabre and its so-called liquidity provider (LP) tokens anchor everything.

” An ecosystem doesn’t look real if it’s all built by a handful of people ,” Ian wrote in his blog post. “I want it to look like a lot of people are building our protocol, rather than one person releasing 20+ disjoint programs .”

As Dylan put it on October 1, 2021, Macalinaos wants other cryptographic protocols to become so reliant on Sabre that “its failure will bring down the entire system.” “By the way, this is the 200 IQ [Sabre Labs] strategy, but very few people understand…”

The Macalinao brothers had no comment by press time.

“Witch Attack”

There are valid reasons for seeking asylum under a false name. However, Ian’s massive “Anonymous” launched something akin to a “Sybil attack”, abusing the trust of crypto users. (Sybil attacks are when computers in a network use false identities to gain disproportionate influence over the whole.)

“I’m revealing this because I’ll inevitably be found out,” Ian wrote in his never-published blog.

Instead, Macalinaos released “Sabre Public Goods” in May to spread the “Sabre Team”‘s prolific code throughout Solana. Eight of Ian’s 11 secret projects are there. Their disclosure is a silence to Anonymous and their owners. Sunny and Cashio, whose tokens imploded, also did not appear.

“My Anonymous Army”

Surya Khosla was Ian’s nickname when Sunny Aggregator was created. Surya appeared on Twitter in August 2021. Sunny skeptic Saint Eclectic is hesitant to deposit his LP tokens in the work of the mysterious figure, an AI-generated face.

There’s one factor in Surya’s favor: the Ian puppet claims to “know very well” the Dylan brothers in real life. On September 9 last year, Dylan Macalinao tweeted that he “felt reassured” to put his cryptocurrency into Sunny Aggregator. “We audited their code,” said Dylan, in his early 20s.

Dylon gives Surya the credibility she needs to win over skeptics like Saint.

The problem is, the lead developer “Surya Khosla” doesn’t exist. Dylan’s brother Ian founded Sunny Aggregator. Ian made up Surya.

This is the first time Ian has flirted with Saber’s fake identity – and it’s far from the last.

Ian wrote in March 2022 that he created 11 anonymous founders who “are actually me.”

Ship Capital has many “friends”: 0xGhostchain, who created Cashio; Goki Rajesh, the builder of multi-signature wallet Goki; Larry Jarry from mining rewards aggregator Quarry; “Master” Swaglioni from governance platform TribecaDAO; and of course Sunny from Sabre farm Surya Khosla of Aggregator.

These DeFi Lego bricks are the jewels of the Sabre ecosystem. According to Ian’s blog, lesser-known protocols Crate (run by kiwipepper), aSOL ( 0xAurelion ), Arrow ( oliver_code ) Traction.Market ( 0xIsaacNewton ), Sencha ( jjmatcha ), and Venko App (ayyakovenko) took the crown. He admits to creating a lot.

make noise

Ian, Dylon, and the puppet Anonymous are constantly promoting Ship Capital’s work on social media.

They support peer releases and integrations, compliment their brother’s thinkfluencer tweets, and compliment each other for inspiring them to build on Solana. They even spread Ian’s self-referential meme.

Sometimes they get very philosophical. On Dec. 29, prolific Solana developer Armani Ferrante (a real person) tweeted, “If you’re not making mistakes, you’re too slow,” to which five Ian puppets responded within four minutes:

mpkvy0XReF7FfPoeHRVQ0Tdyea5FWLnnnMN0P99w.pngA doppelganger of Ian Macalinao quoted its owner on Twitter.

“As @simplyianm likes to say…it’s an experiment!” Statement @_kiwipepper – “herself” one of them.

Others dance around the truth. “Team size = ! Success,” Ian tweeted on December 7, 2021. “I’ll pay @larrinator01 and @0xGoki 10 times the market right now. Not that they need my money…” (cheers from Ian’s Goki and Larry characters).

Ian’s anonymity can be cheeky when outsiders question their legitimacy.

“I’m not a puppet,” Surya Khosla asserted on November 25. In early January, he joked about “fucking himself” to another developer as a reward for building on Sunny. Ian’s creation even tweeted a photo claiming to be visiting the Macalinao brothers in Los Angeles.

It’s impossible to know if Ian manipulated them after popping up from his workbench on his Anonymous Twitter. But two people who have worked with Ship Capital recall the inexplicable behavior of its members. One character’s Telegram account goes online after another character goes offline.

Regardless, in an unpublished draft, Ian admits to pulling their thread where it matters most: the codebase.

“If you’re a developer, it’s easy to find out what open source protocols I’ve written: there’s always a ‘flake.nix’ file that only I use.”

CoinDesk confirmed that many of the projects described in Ian’s blog contain “flake.nix” files.


To understand how the “anonymous army” injects double-counted value into Saber, 0xGhostchain’s Cashio project offers a compelling perspective.

Cashio’s CASH, which debuted near the peak of the crypto market last November, is billed as a “decentralized stablecoin” with a dollar-pegged cryptocurrency backed by “liquidity provider” tokens. (LP tokens are cryptographic assets that holders “stake” for additional yield. DeFi protocols issue them to users who lend out tokens to keep transactions running smoothly.)

Cashio only accepts Sabre’s LP tokens as collateral. Not surprisingly, Sabre, an “automated market maker” with over $1 billion in TVL at the time, was the primary DeFi trading venue for stablecoin pairs on Solana last November. (Sabre’s current TVL is $90.6 million.)

Cashio relies on the Sabre ecosystem project created by Ian’s Anonymous to generate revenue.

It starts by packaging Sabre LP tokens into a “tokenized basket” using a Crate that Ian built under the pseudonym “kiwipepper”. It sends these “crates” through a yield redirection platform called Arrow – which Ian constructs as “oliver_code”. In the end, Cashio says it makes money by depositing derivatives of these deposits into “Surya’s” Sunny Aggregator and Quarry, which Ian built with “Larry Jarry.” Profits flow into Cashio’s vault, which is managed by a Decentralized Autonomous Organization (DAO).

Confused? Cashio’s customers are confused. CoinDesk asked two prominent Cashio users to explain the intricacies of the app; neither could they. The app’s About page isn’t much help either.


Graph of deleted users created in Cashio’s Discord server on February 19

What users care about: Cashio’s DeFi machine accepts their Sabre LP tokens and spit out CASH tokens.

It’s a lucrative deal. CASH holders can deposit their LP-backed stablecoins into the Sunny liquidity pool and get a 10%-30% return. One trader said that if they deposited Sabre LP tokens into Sunny instead of Cashio, they would only get 5%-10%. It doesn’t matter that the same crypto asset is behind both.

This is the logic of DeFi currency Lego bricks.

Repeat deposits from Sabre to Cashio-to-Crate-to-Arrow-to-Sunny-or-Quarry have a bigger impact on Sabre. According to Ian, it clearly turns $1 of TVL into $6. Many DeFi projects measure their value by advertising total user deposits TVL.

“TVL only counts if the protocol is constructed separately,” Ian wrote, explaining why his anonymity protocol appears to be constructed separately.

According to TVL tracker DeFiLlama, Sabre’s deposits peaked at $4.15 billion on September 11, 2021; its SBR token had reached 90 cents a few days earlier. Sunny Aggregator’s TVL also peaked on September 11 at $3.4 billion. Its SUNNY token briefly hit an all-time high of 18 cents the day before.

Both tokens are currently plummeting 99%, according to data provider CoinGecko. Sabre and Sunny’s TVL barely improved as they both dropped over 96%.

fallen angel

Cashio’s March 23 collapse in a $52 million hack was a severe setback for Ship Capital.

In an unpublished blog post, Ian said he was “working very hard to push people to put more stakes in Cashio” as he coded it. He apologized for their “catastrophic” loss in the agreement, which he created using a pseudonym and endorsed in his real identity.

In an unpublished post, Ian implored the hacker — a self-styled Robin Hood-type hacker who lashes out at American and European tycoons (fat cats) — to “consider returning the funds.” The hackers did later return part of the $39 million demanded by hacking victims of $14 million.

Ian wrote that if the hackers don’t reimburse users in full, “I will do everything I can to reimburse affected individual users with my personal Sabre and Sunny tokens. This won’t cover the full amount, but it’s all I have to offer. .” He never delivered on that unpublished promise.

“The Barrier to Criticism”

Fake names are common in cryptocurrencies and are not in themselves evidence of wrongdoing. Thirteen years after Bitcoin’s debut, the true identity of its creator, Satoshi Nakamoto, remains unknown. However, even after the recent brutal sell-off, BTZ still holds a $442 billion market cap as the cryptocurrency bellwether.

However, according to the unpublished post, Ian wants “barriers to criticism”:

“I just want to focus on building and creating value in what I think is the best way to do things. I don’t want to deal with too much criticism until my idea is fully marketed, and anonymity is a way to let myself ( and the protocols I’ve worked on) an easy way to distance yourself from that.”

According to Discord server logs, Ian came into contact with Solanaland in October 2020, and this wasn’t the first code competition with the self-proclaimed “shipooor”. His GitHub commits date back more than a decade, and in late 2017 he made his crypto contributions public for the first time on the EOS project.

In early January 2021, Ian discussed on Discord for Basis.Cash the token economics of stablecoins that he believed (and turned out to be correct) were destined for decoupling. There, he was “obsessed” with building a decentralized currency.

In the process, Ian’s article said, he attempted to “build a multi-protocol DeFi ecosystem,” but ended in “criticism and ridicule” and failure. “Moving to Solana was a way for me to start over.”

public statement

Who are these anonymous builders flocking to Saber? At the Solana conference in Lisbon, Portugal last year, Ian addressed this question during a panel discussion titled “From Zero to $2 Billion: How Sabre Became the Largest DeFi Application on Solana.”

“We brought some friends and basically built and developed the ecosystem on top of Sabre,” Ian told Chris McCann of Race Capital, Sabre’s biggest venture capital (VC) backer.

A “friend” item is Sunny. Another tokenized basket making protocol Crate from Ian alias kiwipepper.

“But that guy also has, like a lot of friends they know,” Ian told the audience. He claimed that one of the friends founded Cashio, a stablecoin project backed by Sabre LP tokens to provide liquidity to Sunny Aggregator.

“We can facilitate [CASH] to provide Sabre with more liquidity,” he said on stage.

In a brief interview with CoinDesk on Thursday, McCann said he was unaware of Ian’s close relationship with Cashio.

“He always mentions that someone else created it, but I don’t know who the others are and I haven’t met them.”

Ian’s unpublished blog reveals Cashio’s true origins. As a coder of 0xGhostchain, Ian finished an example of a Sabre LP-backed stablecoin ahead of Breakpoint, the largest developer gathering ever in the Solana ecosystem. He wrote that Ian wanted others to imitate Cashio. Every protocol that mimics its reliance on Sabre LP tokens will become a liquidity faucet, flooding more TVL into Saber at $1.7 billion.

“That’s part of the reason the code is insecure, it’s hitting a deadline,” he wrote on March 26, after a hacker swindled Cashio’s unaudited smart contracts with fake collateral, losing $52 million.

Cashio’s Discord community — where enthusiastic users roam — may consider CASH code safe. After all, Ian told them on November 23: “I audited it myself”. He posted a similar post to Crypto Twitter on March 23, the day of the exploit: “I didn’t audit Cashio as carefully as I should.”

Both of these claims contradict what Ian wrote in his unpublished letter: “I did not let anyone else see the code, including auditors. I should not have done that.”


Reply to Ian Macalinao’s tweet…

u69byT5hiNiOC8jlbdQxZ4KZfXwiRLG0rC26gtNW.pnghe later deleted

Moving on to Aptos?

“Ultimately having real developers building projects has always been our goal,” Ian wrote in an unpublished blog post.

On July 23, the brothers began attracting external developers to Sabre through the DAO Accelerator Program. Its application form asks: “How will your protocol be deeply integrated with the Sabre protocol to improve Saber’s transaction volume/TVL/capital efficiency?”

The effort comes as the brothers switch from Solana to Aptos, an up-and-coming blockchain — porting Sabre with them. A number of Solana developers are following suit, one venture capitalist said. Macalinaos is making a bet: They run a VC anchored in Aptos, three sources said. Their VC is called Protagonist. Its old name was “Ship Capital”.

Seven Sabre ecosystem users told CoinDesk they felt abandoned by the Macalinao brothers. Some lost money on CASH tokens (previous stablecoins went to zero). Others said their cryptocurrencies were trapped in a derivative token issued by Sunny. One anonymous user, Brad_Garlic_Bread, said he lost about $300,000 on Sunny and Sabre — “there are a lot of people worse than me.”

Brad_Garlic_Bread said the community thought Ian was hosting the show “but no one knew for sure”.

He’s still trying to get Ian’s attention. On July 16, Brad asked Ian if he could “masquerade as Surya for a day” to help investors in Sunny Aggregator recover their locked tokens. Ian answers questions in the Sabre Discord; he skips Brad’s question.

Other SUNNY token holders asked Ian about the future development of the yield aggregator. Sabre is migrating to Aptos – will Sunny do the same? They asked what happened to Sunny’s lead developer.

“Major Sunny dev burnt after losing most of his savings in Cashio hack,” Ian said on July 16. He said he would “encourage” the disillusioned dev to rebuild Sunny with Move, Ian Says it’s a safer coding language than Solana’s Rust, which is used to build multi-million dollar protocols.

A week later, Ian said the Sunny developers felt rejuvenated after trying Move.

“‘It feels like the early Solana.'”

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-08-05 10:38
Next 2022-08-05 10:40

Related articles