SolFire — The $4m+ Crypto Rug Pull Promoted by Trusted Solana Projects

SolFire was a DeFi project on Solana promoted by many trusted crypto projects including ProjectLarix, Slope, PsyOptions, Solana Daily and more. They had their own emission token, various call/put strategies and impressive yields. After a couple weeks of being up and running, delivering new features and engaging with its community, they accumulated ~4million USD and transferred nearly everything out of the contract.

9 min readJan 25, 2022

An Overview

SolFire was an elaborate scheme to defraud investors. They started with over $500k of initial liquidity and investment. They had their own emission token and program. They claimed to be built on ProjectLarix and PsyOptions and were promoted by both of those projects. Slope, a very popular mobile wallet for Solana tweeted that they had partnered with SolFire, and added their dApp in the very popular Slope mobile wallet and did an extensive and elaborate AMA with them as well. They integrated with DeFi Llama, Defiyield and others. They received partnerships and retweets from many well known and trusted Solana projects. From the limited research done so far, they walked away with at least 4m USD (TVL was over 12m so it could be more) and there is an additional 500k USD still in Solana wallets.

This was no ordinary rug pull.

The Setup

The $500k+ initial funding of the project came through this wallet https://solscan.io/account/95GzJxVLG5TBwiWvbYmcHkTj1zy1s2LisPKtPszf1EoL#splTransfers through wormhole bridge with these two transactions:

The first 300,000 USDC was added to the LP on Jan 4 2022: https://solscan.io/tx/5J3XhQnStSsv3oq8R8ASiZQA6ZkTXsUoXvDoZT1aBqU7eZLiKRXwsRxJXcBuT5AfhdBckb2Uk9AmNVwVfhqZMnCL

And some funds were transferred to other wallets https://solscan.io/account/H1A6ViUjVKfDWPd14QxrJEtaxhNBKPB31tZEgJxNoLdX shortly after which added another 226,573 USDC to the LP:

The Promotion

ProjectLarix

ProjectLarix, The first Metaverse based Finance Protocol on Solana with over 200m+ TVL announced the partnership with SolFire on January 4th before the launch.

They retweeted several posts from SolFire as well.

They later deleted all tweets and posts about SolFire.

PsyOptions

PsyOptions is an American style options protocol built on the Solana blockchain. They have over 30m TVL and promoted SolFire on Jan 7th. In a series of tweets promoting DeFi products (including Katana, Friktion, Chest, & Tap Refinance) built on their platform, they wrote a tweet about SolFire (since deleted):

They later stated on Jan 19th they don’t have a direct affiliation with the project.

Slope

Slope is a popular mobile Solana wallet did a very detailed and convincing AMA with SolFire including a (likely fake) dox: (since deleted)

https://web.archive.org/web/20220114134618/https://slope-finance.medium.com/slope-x-solfire-ama-recap-c5990cea3a0e

They also announced a partnership with Solfire:

They even also did a promotion and gave out prizes:

In addition they added an integration with SolFire dAPP to in their mobile app. They have since deleted all mention of SolFire from their tweets and medium page.

Solana Daily

Solana Daily created/provided this detailed and beautiful info graphic:

They also promoted SolFire the day before the rug:

Solana List

Solana Nerd

DEFIYIELD

DeFi Llama

SolFire was also listed on DeFi Llama, CoinMarketCap and CoinGecko.

Should these projects hold some responsibility? We always hear the phrase DYOR, but perhaps these projects should DYOR before promoting a scam. Part of investment research is hearing what trusted projects are saying about the project, and all signs pointed to legit from them. IANASD,(I am not a Solana developer) but after spending just a couple hours reviewing the transaction history, SolFire was didn’t appear to be using the PsyOptions or Larix platform for investment options. Did anyone review the source or test transactions prior to making statements about partnerships?

Is there some larger conspiracy here, could any of these projects be complicit on the scam? Not likely, but it’s not exactly clear that it isn’t either. How can I knowingly invest in the other new projects promoted by the PsyOptions, Larix, Slope, Solana Daily or others?

Several users were even banned from the Slope telegram for asking about the partnership after the rug. All the projects are just silently deleting posts and tweets about SolFire without even acknowledging or taking any responsibility of this rug pull.

The Project

SolFire was sophisticated and had several layers of complexity. They had an emission token and offered several investment options that appeared legit, especially considering the stated partnership with ProjectLarix and PsyOptions. The technical expertise to execute a project of this scale would require a deep understanding of the Solana framework and DeFi.

Throughout the few weeks of the project, SolFire released new vaults, fixed bugs, improved UI, new features, and added more info about their upcoming (bogus) NFT platform. They announced more partnerships and even CEX listings. They even switched RPC implementation to Genesys Go.

From the surface, and with all the promotions, SolFire looked like a good project.

The Pump

Throughout the short lifetime of the project, the SolFire token increased in value from 0.02 USDC to over .10 USDC, encouraging more people to hodl the coin in their FIRE vault.

There is an account funded by the initial wallet 95Gz as well as through the vaults: https://solscan.io/account/B3WCDRpBJ41MUbQHzPzhEDu51d4TKJqwXAeRjcDsjWbq#splTransfer

This wallet would periodically get transfers from the main 4QSQ SolFire wallet and then sell those assets and buy FIRE tokens artificially driving the price up Fire up.

SolFire devs were buying their own token with the funds people are adding to the vaults to inflate the price.

The Steal

At approximately 03:45 UTC January 23rd 2022, the steal started.

Here you can see the main wallet go from 8.6m to 64k in 1 day.

https://sonar.watch/dashboard/4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn

Another internet user put together a detailed trace of the wallets and funds transferred which is largely just copy and pasted below with updated formatting. The original is linked here: https://docs.google.com/document/d/1qAhLCxoLcD8PxZSbjyD4aqn0aOKdIKYtrnTgaUGMWHQ/edit#

Steal Summary:

4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn (SolFire Hot wallet)
Eth accounts were funded for gas via Tornado cash
Sol accounts were funded for gas via Binance (Binance could identify the thief by identifying sol address BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR who then funds D6RBPLyUYhUE98rWZrewSkpmSDLypGRoGV4EqvGKkvym (bad guy acct 1) and 8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy (bad guy acct 2) via single intermediaries
Funds were transferred from 4QSQ and sent to D6RB (bad guy 1) and 8Xny (bad guy 2)
8Xny sells everything into soETH and sends it (664 soETH) over the sollet bridge to Ethereum to address 0xc5afc6c1d4002dc9bc765542a17bb0fc49044ec5 where it sits as ETH.
D6RB receives USDC and USDT; it sends them over the sollet bridge to Ethereum to 0x1e669254badd2866b217983d6a2fcbbf07d66ff7 who adds liquidity to Curve 3-pool

Background

4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn — primary SolFire account

https://sonar.watch/dashboard/4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn — see account drop from 8m to 65k (about 5M is FIRE token and 3M is real assets)

FBUKfg7Thx4WDM4ATehJe1xWzuGtMk1myXhRSvuSq19h — Sollet bridge address

2ojv9BAiHUrvsm9gxDe7fJSzbNZSJcxZvf8dqmWGHG8S — Binance hot wallet

ASTyfSima4LLAdDgoFGkgqoKowG1LZFDr9fAQrg7iaJZ — MEXC hot wallet (author thinks, pls let me know if this is wrong, has a bunch of tokens in it like GOFX, FANT, MEAN, CHICKS in it which seem to be only listed on MEXC. other possibility (less likely) is Gate.io)

Minor Note: JBNK2QQKRH1afUiieMraBCaZ29YVqsY8FmLCvR3xckC2 is the ATA for wrapped SOL for 8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy

The Transactions

Here is the list of transactions emptying the SolFire wallet (copied from here): https://docs.google.com/spreadsheets/d/1953qqUZBDJJH3iFNVZoBwVsCHArlx5RMyO7KNweTf5Q/edit?usp=sharing)

4cdwKrEqcv1EB8oXhJw2Udmww8ySkPh7m3RMLFciWSbSE84oDZmRxeDBCR32XeVYWmF8zodpw4sNxrmJbkCwPTc2 6.3848 BTC
26AnPkNQ6VQaPJ4qyf1AwumEiSnQkXJpM3dhJe5cSqdcPFTkJjMgfojGXxME8QG6CkwAbFCMWLQMscbcDnNHSs4D 104.865 ETH
2vEBhU4F5zZjL65JWkc7CFUZamU9rqpEBbPjugEoSLJ8WJGKBWvYWYUUtRapUtS5kFaF6YR3amCqPJhDBB7VaCrt 4414.47 SOL
2wcJUbWc4XiCcwrX3sm92XVCxmNEJH27Jo1idJ8N59313BXfqzT8QJj6szeRTekmns9JXjQzbpTKmeR6UFCCky4r 1,537,822 USDT
5Q2xciZggPc9Ycmrs7XM33AbtAvTEiCHfBDS2MeSgV3ihYKKAc9nXhJ9r5NX3xnmb7pV8Y6hy6xkgx1SPCipa6bp 299,702 USDC
48r9KhG6N7jbK1wjPR2DnSAGjrKkEfXLRwtX5Q7af3jyQ5BKq7K5Y4BaHLMCtWQTwKgi65V9wx3AMZY2fYhkL9Ln 4030.403717 mSOL
2roQu6zjy6wCuJK72eQeDHw1ojaA5WwtreYMcSq4okjfsrebXtngsxd5ub3ZZphEy5XFMg8SPjMsGrqU3hJSvSJv 1457.89 LUNA
QauQooTafdiW2TqoWA4an7owW3fzCDTzWfuDXxDNz2t5eQAVtf2R1QKxBJ1fwB4SFwSme4zNakNzoaRpmSgc5e9 26347 RAY
zLHjtcwZnGRZfUYqsXF55npe6ebpju2hYfZyPejT8j1dFMuJBu5Q39BPfRgb74z1xtu7wbx6m4EMwZFGLShS8fm 46110 SRM
3dVq6Z5kddj51LhPesBz8Un4KD6i7e7MVDDvbLqbnnw93mNwzU1Uh34kS8v38g5MCp9MqmaU33yMyXwKD1Er6D2g 830270 SBR

These transfers total over $4m USD at the time of the rug.

Where the funds go next:

8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy sells everything into soETH and sends 664 soETH to FBUK (sollet bridge) to https://etherscan.io/address/0xc5afc6c1d4002dc9bc765542a17bb0fc49044ec5 on ETH:

Various trades into soETH: https://solscan.io/account/8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy#splTransfers

Send to 664 soETH (~1.6M USD) to FBUK: https://solscan.io/tx/5MvryVouh6w3QHrUBXaM9AWHUifqiVyDjKTVQJJr4ZLdiYbpDojBaQ81aTvHJZVWvcyRBHHAzLUaWauXGuN7TMU8 at January 23, 2022 04:55:38 AM +UTC

Arrival: 664.86 soETH from Sollet bridge into Eth:

https://etherscan.io/tx/0x24a5f5554d272eec6ea9b669e6069742455626b1fa72116067e62d2cf633e68c

D6RBPLyUYhUE98rWZrewSkpmSDLypGRoGV4EqvGKkvym receives USDC and USDT and sends them to FBUK (sollet bridge) to 0x1e669254badd2866b217983d6a2fcbbf07d66ff7 on ETH

https://solscan.io/tx/3d9cXsVi3NV1EJd9rwqZDSg52Kuf3S6kixa3qdtj3hLKzi5qUkE3mcmht1249fn3U1TmfRputRuafefkSs1pKSSQ (10k test transfer USDC)

Arrival: https://etherscan.io/tx/0x7fdb488c9b5970f40d25739b88263bc8de69e503e5ab29edf8a3d954d98be0c9

https://solscan.io/tx/3b17maJ5jPhzFCqsmq8hnoQTgWC1gfkfBYZzesghR1ga9VwRA5K98rhD1XnP8DwQqtARG6wmBdgyXhw988RmqeQT (290k USDC)

Arrival: https://etherscan.io/tx/0x50bf9a8fb9af45751c99b594a683c513d55a4083372d1ab4eedbf4ef5b56abaf

https://solscan.io/tx/4t16NcHS77iDYkpumrAm2joQFnfmfmVjHDyWQwPKfLzExareE21qi22SNfzJiLHxrmdz2BVEfUuzvYTNpNrDxEeQ (10k test transfer USDT)

Arrival: https://etherscan.io/tx/0x2285720722c056b2733617fb8597943eba9c371810d279457455851e250298bf

https://solscan.io/tx/33XMMUUDVvuHTmfLiSLNEf1U6UybzS61VxNsFDFByJtVfkXz9MDBWgt5ZrEQB3uhiuG3osYMSqEabMieE1CfzjVg (1.52M USDT)

Arrival: https://etherscan.io/tx/0x136c3b72514e3a9fe8a939400161472726169d6b7a8e335a783cbffcae1074ce

Other:

59M (of 100M circulating supply of FIRE) sent out, still sitting there:

https://solscan.io/tx/4Dz7a4mvXd8hHrNQsyX5CfhoGGg7rEi4dz5C7gqM4kzbG47T4Z6bo63JX4KLkrWKF6gnpUAsXLgx6MxHBiu8JecB

Thief Eth account — Gas Funding

https://etherscan.io/address/0xe8032c0270164819bbee809324e09d899cc97f18 funds both 0xc5afc6c1d4002dc9bc765542a17bb0fc49044ec5 and 0x1e669254badd2866b217983d6a2fcbbf07d66ff7 for gas.

This account itself was funded via Tornado cash so tracing is difficult if not impossible.

Thief Sol account — Gas Funding

Summary:

2ojv (Binance hot wallet) funds BZCD
BZCD sends USDC and a lil bit of SOL to 95E3
95E3 funds D6RB (bad guy 1) and 8Xny (bad guy 2), each via a single intermediary
So Exchange 2ojv can identify the bad guy by identifying BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR

Details:

2ojv9BAiHUrvsm9gxDe7fJSzbNZSJcxZvf8dqmWGHG8S (Binance hot wallet) funds BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR: https://solscan.io/tx/2DeEJYwWiCsZPgoo3nYLAAJw5FmRoXjrYpvo5th32bFHVAetkunExfJJMaMQLTohG4GFNLPvE7sTfcFFous7qA3k

BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR to 95E3mb4KVH69YoovZbz9mkyghkVyyb4zGeY2LGfTkuHa, mostly sending USDC, had to send a bit of SOL: https://solscan.io/tx/5cbfhNQ62whEmGmUXMYtvm91d8FXZivM3pMBBFwE1fbTEhKJ6rL2SuNoTCtdhCwu4Ci4CXFe1mSgB73hR9qiukQQ

95E3mb4KVH69YoovZbz9mkyghkVyyb4zGeY2LGfTkuHa to F2htj6PFbBTgWtsCEnzPz1w7jeJ1Gx3WTNRmgmwMqRGR: https://solscan.io/tx/3NDExawaZJw8kc4pEVcjFDTP3UPaGkmVbWusUBpCtrjjr2LsVKERVPydQSzew2uVEzVFmkxfZN9CNVRc9yaMvan6 for 1 SOL

F2htj6PFbBTgWtsCEnzPz1w7jeJ1Gx3WTNRmgmwMqRGR to D6RBPLyUYhUE98rWZrewSkpmSDLypGRoGV4EqvGKkvym (bad guy 1) https://solscan.io/tx/3WAtK7toPpLyt5vyBQa81GiCo1CpTEnapEuvjEWbPsVw3w7r3yB1cFUbiXgLDgasPsqvLG8voXeR78zUsPYv2wch for 0.995 SOL

95E3mb4KVH69YoovZbz9mkyghkVyyb4zGeY2LGfTkuHa to 9UocrchkPQHKpnZ65ycMaLjeLdcsFb84vQiXYPjPoUJZ for 1 SOL: https://solscan.io/tx/4DvsMxLnhNpSugu7g2t5vyhu5WdnQGzu84VqBKEDP5nZdDGHktUtGeWC3ooazfMtsAX9DVeZsRh4GKrMGhneDTGe

9UocrchkPQHKpnZ65ycMaLjeLdcsFb84vQiXYPjPoUJZ to 8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy (bad guy 2): https://solscan.io/tx/2DhwVWA5g87BmRJz4LzQZAEvA8WbDWbrLZhyCgGy6nTdcBHtdKsouBMzELmpR1PnmivEFTPzu76ZAhgjUJwh4GGL

LP Drain

The USDC-FIRE liquidity pool was drained over the next few days back to some of the initial wallets.

The Redemption?

Robin Hood

Later on in the day of the rug, the SolFire telegram changed its name to “The Redemption”. The two admins “@kylewebber” and “@satoshimself” both updated their profile description to the same thing:

Later in the day several users received a message from one of the admins admitting the rug pull and asking users to provide a reason to why they should give your money back. Are they trying to pull off some kind of Robin Hood redemption arc? Kind of a sick twist, we’ll see if anyone gets a refund.

The best redemption; however, would be for all the money to be properly returned to the investors and see these people behind bars.

Next Steps

As of this writing there are still funds on Solana wallets at least over $500k USH1A6ViUjVKfDWPd14QxrJEtaxhNBKPB31tZEgJxNoLdX
4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn Can they be frozen and seized?

The half million USD in funds used to initially fund the liquidity pool for SolFire may hold the key to where this started. Are these the same actors as the LunaYield scam months ago? Maybe. Since some of the funds reportedly flow back to a Binance hot wallet, can Binance out the culprit? Very Likely.

How can other projects be vetted better on Solana? Can the community come together here and help with a recovery effort? Perhaps the co-founder of Solana, Anatoly (https://twitter.com/aeyakovenko) can provide some assistance (feel free to tweet this article at him).

Solana has been taking a lot of heat lately for transaction speeds and while some criticism is warranted, I think its largely just the internet hive mind making a big deal about nothing. I am a Solana holder and I really believe in the project, but this elaborate Solana rug pull definitely needs more attention from the top.

Are popular projects such as Larix, PsyOptions or Slope somewhat responsible here? The only reason I invested with SolFire is because I felt comfortable after reading the AMA with Slope and saw the tweets from ProjectLarix and PsyOptions. I think the projects promoting SolFire need to issue a public apology or statement and commit to doing more due diligence on future “partners” otherwise they come across as being complicit in the scam.

I also feel there should be some high level involvement from these projects as well as Solana Labs in order to put together a community discovery and recovery effort here and not just try to sweep this one under the … rug.

Links

Telegram if you’ve been scammed (not mine): https://t.co/SN6tpATvzY

Twitter (not mine): https://twitter.com/RugpullSolfire

Transaction Research (not mine): https://docs.google.com/document/d/1qAhLCxoLcD8PxZSbjyD4aqn0aOKdIKYtrnTgaUGMWHQ/edit#

Donation Wallet (mine): GfRiHuLxTVfDvUmbPAVcz45PNwAa317hBFja1Thve53H