Master of Anons: How a Crypto Developer Faked a DeFi Ecosystem

By August 4, 2022DeFi
Click here to view original web page at
CoinDesk - Unknown
Ian Macalinao is one half of the Saber brothers (Danny Nelson/CoinDesk)

Sunny was the newest decentralized finance (DeFi) app to hit Solana during that blockchain’s scorching bull run last summer, when its native token jumped fivefold. Sunny was barely two weeks old by early September, but billions of dollars in crypto were flooding this yield farm.

Still, Saint and others had questions: Who was behind Sunny? Why was its developer, one “Surya Khosla,” pseudonymous? Was its codebase audited? Would users’ cash be safe?

“There was no indication of who Surya was,” Saint recalled recently, “so many users didn’t feel comfortable” putting their crypto in.

Coding as 11 purportedly independent developers, Ian, a 20-something computer wiz from Texas, created a vast web of interlocking DeFi protocols that projected billions of dollars of double-counted value onto the Saber ecosystem. That temporarily inflated the total value locked (TVL) on Solana, as the network was racing toward its zenith last November. The DeFi faithful regard TVL as a barometer for on-chain activity.

“I devised a scheme to maximize Solana’s TVL: I would build protocols that stack on top of each other, such that a dollar could be counted several times,” Ian wrote in a never-published blog post reviewed by CoinDesk. The blog post was prepared on March 26, three days after Cashio, one of Ian’s secretly built protocols, lost $52 million in a hack.

Ian’s ploy worked for a while. By his count, Saber and Sunny comprised $7.5 billion of Solana’s $10.5 billion TVL at their peak. (Billions of those dollars were double-counted between his two protocols.)

Solana network’s TVL continued to swell even after the Saber ecosystem began losing steam in mid-September 2021, topping at $15 billion around Nov. 9, according to data provider DeFiLlama, while Saber’s TVL had by then dropped 64%.

Ian wrote he disdained this “vanity metric”; nonetheless, “it bothered me that Ethereum TVL was so much higher” than Solana’s, because in his view, DeFi projects on Ethereum – the largest blockchain for DeFi – are “stacked” to double-count deposits.

“I wanted to create a system very similar to this,” he wrote. One problem: “If the same team built each protocol, TVL would be more silly as a metric. Thus I created more anonymous profiles,” he wrote.

In public, Ian and his brother Dylan called their anonymous personas “friends,” or “friends of friends.” Their “Ship Capital” coder club was laying the “blueprints for my ideal DeFi ecosystem,” Ian wrote in the unpublished blog. Saber and its so-called liquidity provider (LP) tokens anchored everything.

“If an ecosystem is all built by a few people, it does not look as authentic,” Ian wrote in his blog post. “I wanted to make it look like a lot of people were building on our protocol, rather than ship 20+ disjoint[ed] programs as one person.”

The Macalinaos wanted other crypto protocols to become so dependent on Saber that “its failure would lead to the entire system going down,” as Dylan phrased it on Oct. 1, 2021. “Btw this is the 200 IQ [Saber Labs] strategy, but few understand…”

There are valid reasons to seek shelter in pseudonyms. Ian’s weaponized “anons,” however, mounted something akin to a “Sybil attack” abusing crypto users’ trust. (A Sybil attack is when a computer in a network uses bogus identities to gain disproportionate influence over the whole.)

Instead, the Macalinaos in May published “Saber Public Goods” to propagate the “Saber team’s” prolific code across Solana. Eight of Ian’s 11 secret projects appear there. Their disclosure is mum on the anons and their master. Sunny and Cashio, whose tokens imploded, don’t show up, either.

Surya Khosla was Ian’s moniker when building Sunny Aggregator. Surya popped onto Twitter in August 2021. Saint Eclectic, the Sunny skeptic, hesitated to deposit his LP tokens in the work of this mysterious character, an anon with an artificial intelligence-generated face.

One factor swung in Surya’s favor: The Ian puppet claimed to know brother Dylan “pretty well in real life.” On Sept. 9 of last year, Dylan Macalinao tweeted he “felt comfortable” putting his own crypto into Sunny Aggregator. “We audited their code,” Dylan, who is in his early 20s, said.

CoinDesk - Unknown
One of Ian Macalinao's experiments quotes its master on Twitter.

“I’m no puppet,” Surya Khosla asserted on Nov. 25. In early January he joked of “doxxing myself” to another developer as a reward for building atop Sunny; Ian’s creation even tweeted a photo that purported to show himself visiting the Macalinao brothers in Los Angeles.

It's impossible to know whether Ian puppeteered his anons’ Twitters after springing them from his workbench. But two people who have worked with Ship Capital recalled the inexplicable behavior of its crew. One persona’s Telegram account would come online after another logged off.

Unveiled last November near the crypto market peak, Cashio’s CASH was billed as a “decentralized stablecoin” whose dollar-pegged cryptocurrencies were backed by “liquidity provider” tokens. (LP tokens are a type of crypto asset that holders “stake” to earn extra yield. DeFi protocols issue them to users whose loaned tokens keep trades moving smoothly.)

Cashio accepted only LP tokens from Saber as collateral. That wasn’t overly strange last November, when Saber, an “automated market maker” with over $1 billion in TVL, was a major DeFi trading venue for stablecoin pairs on Solana. (Saber’s current TVL is $90.6 million.)

It first packaged Saber LP tokens into “tokenized baskets” using Crate, which Ian built under the pseudonym “kiwipepper.” It sent those “crates” through a yield redirection platform called Arrow – Ian built this as “oliver_code.” Finally, Cashio said it earned yield by staking these deposit derivatives in “Surya’s” Sunny Aggregator as well as Quarry, which Ian built as “Larry Jarry.” Profits flowed to Cashio’s treasury, managed by a decentralized autonomous organization (DAO).

Confused? Cashio’s customers were. CoinDesk asked two high-profile users of Cashio to explain the app’s convoluted process; neither could. The app’s “about” page didn’t help much, either.

CoinDesk - Unknown
Chart a deleted user made in Cashio's Discord server, 2/19/22

It was a lucrative trade. CASH holders could deposit their LP-backed stablecoins into Sunny liquidity pools and earn returns of 10%-30%. Had they deposited Saber LP tokens into Sunny instead of Cashio, they would get just 5%-10%, one trader said. It didn’t matter that the same crypto asset was behind both.

According to TVL tracker DeFiLlama, Saber’s deposits peaked at $4.15 billion on Sept. 11 2021; its flagship SBR token had topped out at 90 cents days earlier. Sunny Aggregator’s TVL also peaked on Sept. 11, at $3.4 billion. Its SUNNY token had flirted with an all-time-high of 18 cents one day before.

Ian said in the unpublished blog that he “pushed very hard for people to stake more into Cashio,” because he wrote its code. He apologized for their “catastrophic” losses in a protocol that he created using a pseudonym and endorsed under his true identity.

Pseudonymity is widespread in crypto, and not in itself evidence of wrongdoing. Thirteen years after bitcoin’s debut, the true identity of its creator, Satoshi Nakamoto, remains unknown. Yet even after a recent brutal sell-off, the bellwether cryptocurrency boasts a $442 billion market capitalization.

Ian’s arrival in Solanaland in October 2020, according to Discord server logs, was hardly the self-proclaimed “shipooor’s” first code rodeo. His GitHub commit history stretches back over a decade, with the first public crypto contribution, on an EOS project, in late 2017.

Who were these anonymous buildings flocking to Saber? Ian grappled with the question at last year’s Solana conference in Lisbon, Portugal, during a panel called “From Zero to $2 Billion: How Saber Became the Biggest DeFi App on Solana.”

Ian’s unpublished blog reveals Cashio’s true origin. Coding as 0xGhostchain, Ian rushed to complete an exemplar of Saber LP-backed stablecoins in time for Breakpoint, the Solana ecosystem’s biggest-ever gathering of fellow developers. Ian wanted others to copy Cashio, he wrote. Each protocol that parroted its dependence on Saber LP tokens would become a liquidity spigot gushing yet more TVL into the $1.7 billion mothership.

“This is part of why the code was insecure, it was rushed for this deadline,” he wrote on March 26, after a hacker had spoofed Cashio’s unaudited smart contracts with fake collateral, draining it of $52 million.

Cashio’s Discord community – where passionate users roam – likely believed the CASH code was safe. After all, Ian told them on Nov. 23: “I personally audited” it. He pitched a similar yarn to crypto Twitter on March 23, the day of the exploit: “I did not audit Cashio as closely as I should have.”

CoinDesk - Unknown
A reply to a tweet by Ian Macalinao...
CoinDesk - Unknown

...that he later deleted

On July 23, the brothers started wooing external developers to Saber with a “DAO accelerator program.” Its application form asks: “How will your protocol deeply integrate with the Saber Protocol thereby increasing Saber's volume/TVL/capital efficiency?”

That effort comes as the brothers cast off from Solana for Aptos, an up-and-coming blockchain – porting Saber with them. Many Solana developers are in tow, a venture capital source said. The Macalinaos are betting on it: they helm a VC that’s anchored in Aptos, three sources said. Their VC is called Protagonist. Its old name was “Ship Capital.”

Seven Saber ecosystem users told CoinDesk they felt abandoned by the Macalinao brothers. Some lost money in CASH tokens (the erstwhile stablecoin went to zero). Others say their crypto is stuck in derivative tokens issued by Sunny. One pseudonymous user, Brad_Garlic_Bread, said he lost around $300,000 across Sunny and Saber – “there's a lot of people worse off than me.”

By signing up, you will receive emails about CoinDesk product updates, events and marketing and you agree to our terms of services and privacy policy.

View All Prices

All Today's Crypto News In One Place