West Bangal, India - February 4, 2022 : Solana logo on phone screen stock image. — Stock Editorial Photography

Solana’s DeFi ecosystem was totally fake—This is why identity matters

Several days back, a bombshell report by CoinDesk revealed that two brothers had used multiple pseudonymous accounts to fake an entire DeFi ecosystem on Solana.

It’s an important lesson on the need for identity to be linked to large transactions and for proper rules and regulations to be applied to the corrupt DeFi ecosystem.

What happened? How did two brothers fake $7.5 billion of DeFi TVL?

According to a written confession by one of the brothers behind the scheme, he and his brother spun up 11 fake developer accounts to make it look like organic development was occurring within the Solana DeFi ecosystem.

In reality, all of the so-called dev accounts, complete with Twitter profiles that would interact and talk to one another and the protocols themselves, were run by Ian and Dylan Macalinao from Texas. 

The pair coded several different DeFi protocols, linking them together in such a way that every dollar deposited would be counted multiple times, causing the apparent Total Value Locked (TVL) within the ecosystem to swell dramatically. At its peak, the scheme represented around 75% of the TVL in the Solana DeFi ecosystem—close to $7.5 billion.

In his confession, which he wrote but never published when one of the protocols was hacked for $52 million, Ian Macalinao explained that he believed Ethereum DeFi protocols were designed to count every dollar more than once, so he had the idea to build something similar on Solana. The Texan said he believes that this scheme played no small part in the SOL tokens’ massive rise to $188 at its peak in 2021.

Another lesson on the need for identity and regulations when dealing with money

There are no doubt times when anonymity and pseudonymity are necessary: dissident journalists, whistleblowers, and many others rely on their identities remaining hidden to survive and continue doing what they do.

However, when it comes to money, and particularly large sums of it, it’s a different story. In this case, everyone deserves privacy, but traceability and the ability to link transactions to real identities are crucial. So is fiduciary responsibility. It’s what stops schemes like the one cooked up by the Macalinao brothers from occurring, and it’s why regulations have evolved the way they have in the traditional financial sector.

Think about how ridiculous this story really is; two brothers, having cottoned on to what’s really happening in DeFi on Ethereum, literally faked $7.5 billion of TVL, tricking innocent people from all over the world to have confidence in an ecosystem almost entirely of their design, leading to the real loss of tens of millions of dollars. All of this was only possible because there was no way to link the activities of the so-called developers to the two brothers earlier.

From the protocols spun up under different developer names to give the appearance of organic ecosystem growth to the fake social media interactions and debates to lure in unsuspecting punters and make it all seem more real, all of it could have been prevented if the brothers knew that someone, somewhere, could discover who they were. For example, if protocol developers had to publicly verify who they are and shoulder fiduciary responsibilities, then the brothers would never have started their scheme in the first place. This would also go a long way to preventing the all-too-common “rug pulls” plaguing the industry.

The entire story speaks to how ridiculous the dream of an anonymous, supposedly decentralized financial system is. Anonymity makes it too easy for scammers like the Macalinao brothers to do whatever they want with dire consequences for others.

Yet another Sybil attack in the digital currency industry

For those who don’t know, what the Macalinaos did was a type of Sybil attack. It’s defined by Imperva as follows:

​​”A Sybil attack uses a single node to operate many active fake identities (or Sybil identities) simultaneously, within a peer-to-peer network. This type of attack aims to undermine the authority or power in a reputable system by gaining the majority of influence in the network.”

Sybil attacks of various kinds are all too common in the digital currency industry. On Twitter, it’s well known that small groups of individuals control mass numbers of accounts to harass supporters of Dr. Craig Wright and Bitcoin SV, and huge swathes of bot accounts were used to generate a fake consensus around small blocks during the Bitcoin civil war.

Now that we have verified evidence of how easy it really is, everyone in the industry should be wondering who else is out there operating multiple anonymous accounts, pretending to be different people when they are, in fact, a small group with an agenda. Bright minds should also consider whether the alleged 10,000+ anonymous nodes on the BTC network might be controlled by a similar small group and what that would mean for the so-called decentralization of that system. The problem is, without identity, there’s just no way to know who’s in control of what.

While it’s too late to turn back the clock and prevent the Macalinao brothers from doing what they did on Solana, it’s not too late to prevent similar scenarios from arising in the future. The only way to do so is to hold people accountable by knowing who they are. If any of this is going to become anything other than a giant failed experiment, identity and the trust it breeds will have to play a central role.

Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups from BitMEX to BinanceBitcoin.comBlockstreamShapeShiftCoinbaseRipple,
EthereumFTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.

[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]