Good morning, cryptofam! I don’t get to write about other blockchains very often, but Solana has been going through some rough times this week on multiple fronts, and I wanted to summarize everything that’s happened. But before we jump into that, I wanted to talk about the upcoming Philippine Web3 Festival that YGG and BlockchainSpace are presenting this November. I’ve attended enough Consensuses, Collisions, Rises, Fintech Festivals, and whatnot to last me a lifetime, and have long dreamed of a massive crypto-focused event right here in the Philippines. Well, 2022 is when that dream finally comes true, and it’s going to be an absolutely epic week mashing up the brightest minds in crypto from everywhere in the world. We’ll be launching the official website this coming week, but for now please follow the official Festival account @phweb3festival on Twitter for updates!
And now, back to Solana. We woke up on Wednesday morning with news of an ongoing attack on Solana wallets, which were somehow draining them of all their funds without the owners’ knowledge. These wallets were all on-chain and non-custodial, and included wallet apps like Phantom, Slope, and TrustWallet. (In plain English: there was no central corporation holding funds for customers, these accounts were all secured directly by the Solana blockchain. The implication is that, once funds have been lost, they’re nearly impossible to get back.) The transactions were all legitimately signed, meaning that the hackers had access to the all-important seed phrases of each of these wallets. Over 8,000 wallets were hit, and an estimated $8M in personal funds were stolen. I did a video on the YGG Pilipinas FB page explaining the situation and advising users to temporarily move their funds to a centralized exchange while the situation is being investigated.
The Solana Labs CEO theorized that the vulnerability was specific to the iOS versions of the wallets in question. By the second day of the attack, the estimated figure of lost funds had been lowered to $4.5M, but now the blame was being pinned primarily on a possible software exploit within the Slope wallet. There’s now an official statement on the Slope blog regarding the breach, that neither confirms nor denies their culpability. They have, however, offered a 10% bounty to anyone who returns the lost funds of their users. There’s a fairly technical thread from OtterSec that points to an odd vulnerability within Slope’s code, for those who want to jump down the rabbit hole.
We have become so desensitized to hacking incidents in the crypto world that anything below $100M in losses seems to not be all that interesting anymore. Solana’s price barely registered a 3% dip at the peak of the conversations about the hack. While the Solana wallet attack was ongoing, a protocol called Nomad reported the loss of $190M from their bridge. The Nomad Bridge allows users to jump from one blockchain to another, going from Ethereum to Avalanche, for example. It’s a similar concept to Axie Infinity’s Ronin Bridge, which allowed users to move their AXS and SLP to and from Ethereum. Earlier this year, Ethereum creator Vitalik Buterin warned of the vulnerabilities of these bridges, although his explanations were characteristically abstract and conceptual. In the end, both Nomad and Ronin bridges fell to plain old human error, with Nomad’s collapse being due to a faulty software update, and Ronin being hacked via social engineering.
But that’s not all that happened to Solana this week! In what I believe might be the story of the year, it was revealed that prominent Solana DeFi developers Ian and Dylan Macalinao were using fake identities to inflate the value of their projects as well as, possibly, Solana itself. How prominent were these brothers exactly? Just last month, Coindesk featured their new $100M VC fund, dubbed Protagonist, that had recently launched in Miami. Ironically, it was also Coindesk that broke the story about the brothers’ cluster of fake identities. I highly recommend reading the full piece here, but the gist is this: the brothers built various Solana projects using fake identities, and then used those projects to support each other (both financially and reputationally), which created a mirage of bustling ecosystem activities. In reality, all that activity was being orchestrated by the same two people.
The Macalinao projects accounted for nearly 70% of all the TVL (total value locked) on Solana during the peak of its popularity. TVL is a metric that a lot of big-picture analysts use to estimate the popularity of a given blockchain. We do the same thing in traditional finance when we compare the total deposited amounts of various banks to get a sense of their relative sizes. Unfortunately, it looks like Solana’s TVL (and at least some of its meteoric growth in 2021) was being massively inflated by the actions of just two extremely prolific siblings. Although it’s impossible now to estimate exactly how big their impact was back then, there’s a part of me that is incredibly impressed by how sneaky they were. There were staged Twitter conversations between their various identities to make it appear that everyone was excited to collaborate; these projects became worth tens, if not hundreds, of millions of dollars as a result.
Perhaps most damagingly, the Macalinaos launched a project called Cashio that was built by one of their fake identities, and then was audited by their real identities. No auditing actually took place, but users began pouring their funds into Cashio due to the Macalinaos’ vote of confidence in the project. It was eventually hacked and lost $52M in customer funds. All of the platforms and apps that the Macalinao brothers touched (and I assume their just-launched venture fund) are now being scrutinized, such that many of them are now defensively tweeting, “We are not Ian Macalinao.”
Have a safe weekend, cryptofam!