SolFire — The $4m+ Crypto Rug Pull Promoted by Trusted Solana Projects
SolFire was a DeFi project on Solana promoted by many trusted crypto projects including ProjectLarix, Slope, PsyOptions, Solana Daily and more. They had their own emission token, various call/put strategies and impressive yields. After a couple weeks of being up and running, delivering new features and engaging with its community, they accumulated ~4million USD and transferred nearly everything out of the contract.
SolFire was an elaborate scheme to defraud investors. They started with over $500k of initial liquidity and investment. They had their own emission token and program. They claimed to be built on ProjectLarix and PsyOptions and were promoted by both of those projects. Slope, a very popular mobile wallet for Solana tweeted that they had partnered with SolFire, and added their dApp in the very popular Slope mobile wallet and did an extensive and elaborate AMA with them as well. They integrated with DeFi Llama, Defiyield and others. They received partnerships and retweets from many well known and trusted Solana projects. From the limited research done so far, they walked away with at least 4m USD (TVL was over 12m so it could be more) and there is an additional 500k USD still in Solana wallets.
This was no ordinary rug pull.
The $500k+ initial funding of the project came through this wallet https://solscan.io/account/95GzJxVLG5TBwiWvbYmcHkTj1zy1s2LisPKtPszf1EoL#splTransfers through wormhole bridge with these two transactions:
The first 300,000 USDC was added to the LP on Jan 4 2022: https://solscan.io/tx/5J3XhQnStSsv3oq8R8ASiZQA6ZkTXsUoXvDoZT1aBqU7eZLiKRXwsRxJXcBuT5AfhdBckb2Uk9AmNVwVfhqZMnCL
And some funds were transferred to other wallets https://solscan.io/account/H1A6ViUjVKfDWPd14QxrJEtaxhNBKPB31tZEgJxNoLdX shortly after which added another 226,573 USDC to the LP:
ProjectLarix, The first Metaverse based Finance Protocol on Solana with over 200m+ TVL announced the partnership with SolFire on January 4th before the launch.
They retweeted several posts from SolFire as well.
They later deleted all tweets and posts about SolFire.
PsyOptions is an American style options protocol built on the Solana blockchain. They have over 30m TVL and promoted SolFire on Jan 7th. In a series of tweets promoting DeFi products (including Katana, Friktion, Chest, & Tap Refinance) built on their platform, they wrote a tweet about SolFire (since deleted):
They later stated on Jan 19th they don’t have a direct affiliation with the project.
Slope is a popular mobile Solana wallet did a very detailed and convincing AMA with SolFire including a (likely fake) dox: (since deleted)
They also announced a partnership with Solfire:
They even also did a promotion and gave out prizes:
In addition they added an integration with SolFire dAPP to in their mobile app. They have since deleted all mention of SolFire from their tweets and medium page.
Solana Daily created/provided this detailed and beautiful info graphic:
They also promoted SolFire the day before the rug:
SolFire was also listed on DeFi Llama, CoinMarketCap and CoinGecko.
Should these projects hold some responsibility? We always hear the phrase DYOR, but perhaps these projects should DYOR before promoting a scam. Part of investment research is hearing what trusted projects are saying about the project, and all signs pointed to legit from them. IANASD,(I am not a Solana developer) but after spending just a couple hours reviewing the transaction history, SolFire was didn’t appear to be using the PsyOptions or Larix platform for investment options. Did anyone review the source or test transactions prior to making statements about partnerships?
Is there some larger conspiracy here, could any of these projects be complicit on the scam? Not likely, but it’s not exactly clear that it isn’t either. How can I knowingly invest in the other new projects promoted by the PsyOptions, Larix, Slope, Solana Daily or others?
Several users were even banned from the Slope telegram for asking about the partnership after the rug. All the projects are just silently deleting posts and tweets about SolFire without even acknowledging or taking any responsibility of this rug pull.
SolFire was sophisticated and had several layers of complexity. They had an emission token and offered several investment options that appeared legit, especially considering the stated partnership with ProjectLarix and PsyOptions. The technical expertise to execute a project of this scale would require a deep understanding of the Solana framework and DeFi.
Throughout the few weeks of the project, SolFire released new vaults, fixed bugs, improved UI, new features, and added more info about their upcoming (bogus) NFT platform. They announced more partnerships and even CEX listings. They even switched RPC implementation to Genesys Go.
From the surface, and with all the promotions, SolFire looked like a good project.
Throughout the short lifetime of the project, the SolFire token increased in value from 0.02 USDC to over .10 USDC, encouraging more people to hodl the coin in their FIRE vault.
There is an account funded by the initial wallet 95Gz as well as through the vaults: https://solscan.io/account/B3WCDRpBJ41MUbQHzPzhEDu51d4TKJqwXAeRjcDsjWbq#splTransfer
This wallet would periodically get transfers from the main 4QSQ SolFire wallet and then sell those assets and buy FIRE tokens artificially driving the price up Fire up.
SolFire devs were buying their own token with the funds people are adding to the vaults to inflate the price.
At approximately 03:45 UTC January 23rd 2022, the steal started.
Here you can see the main wallet go from 8.6m to 64k in 1 day.
Another internet user put together a detailed trace of the wallets and funds transferred which is largely just copy and pasted below with updated formatting. The original is linked here: https://docs.google.com/document/d/1qAhLCxoLcD8PxZSbjyD4aqn0aOKdIKYtrnTgaUGMWHQ/edit#
- 4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn (SolFire Hot wallet)
- Eth accounts were funded for gas via Tornado cash
- Sol accounts were funded for gas via Binance (Binance could identify the thief by identifying sol address BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR who then funds D6RBPLyUYhUE98rWZrewSkpmSDLypGRoGV4EqvGKkvym (bad guy acct 1) and 8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy (bad guy acct 2) via single intermediaries
- Funds were transferred from 4QSQ and sent to D6RB (bad guy 1) and 8Xny (bad guy 2)
- 8Xny sells everything into soETH and sends it (664 soETH) over the sollet bridge to Ethereum to address 0xc5afc6c1d4002dc9bc765542a17bb0fc49044ec5 where it sits as ETH.
- D6RB receives USDC and USDT; it sends them over the sollet bridge to Ethereum to 0x1e669254badd2866b217983d6a2fcbbf07d66ff7 who adds liquidity to Curve 3-pool
4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn — primary SolFire account
https://sonar.watch/dashboard/4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn — see account drop from 8m to 65k (about 5M is FIRE token and 3M is real assets)
FBUKfg7Thx4WDM4ATehJe1xWzuGtMk1myXhRSvuSq19h — Sollet bridge address
2ojv9BAiHUrvsm9gxDe7fJSzbNZSJcxZvf8dqmWGHG8S — Binance hot wallet
ASTyfSima4LLAdDgoFGkgqoKowG1LZFDr9fAQrg7iaJZ — MEXC hot wallet (author thinks, pls let me know if this is wrong, has a bunch of tokens in it like GOFX, FANT, MEAN, CHICKS in it which seem to be only listed on MEXC. other possibility (less likely) is Gate.io)
Minor Note: JBNK2QQKRH1afUiieMraBCaZ29YVqsY8FmLCvR3xckC2 is the ATA for wrapped SOL for 8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy
Here is the list of transactions emptying the SolFire wallet (copied from here): https://docs.google.com/spreadsheets/d/1953qqUZBDJJH3iFNVZoBwVsCHArlx5RMyO7KNweTf5Q/edit?usp=sharing)
- 4cdwKrEqcv1EB8oXhJw2Udmww8ySkPh7m3RMLFciWSbSE84oDZmRxeDBCR32XeVYWmF8zodpw4sNxrmJbkCwPTc2 6.3848 BTC
- 26AnPkNQ6VQaPJ4qyf1AwumEiSnQkXJpM3dhJe5cSqdcPFTkJjMgfojGXxME8QG6CkwAbFCMWLQMscbcDnNHSs4D 104.865 ETH
- 2vEBhU4F5zZjL65JWkc7CFUZamU9rqpEBbPjugEoSLJ8WJGKBWvYWYUUtRapUtS5kFaF6YR3amCqPJhDBB7VaCrt 4414.47 SOL
- 2wcJUbWc4XiCcwrX3sm92XVCxmNEJH27Jo1idJ8N59313BXfqzT8QJj6szeRTekmns9JXjQzbpTKmeR6UFCCky4r 1,537,822 USDT
- 5Q2xciZggPc9Ycmrs7XM33AbtAvTEiCHfBDS2MeSgV3ihYKKAc9nXhJ9r5NX3xnmb7pV8Y6hy6xkgx1SPCipa6bp 299,702 USDC
- 48r9KhG6N7jbK1wjPR2DnSAGjrKkEfXLRwtX5Q7af3jyQ5BKq7K5Y4BaHLMCtWQTwKgi65V9wx3AMZY2fYhkL9Ln 4030.403717 mSOL
- 2roQu6zjy6wCuJK72eQeDHw1ojaA5WwtreYMcSq4okjfsrebXtngsxd5ub3ZZphEy5XFMg8SPjMsGrqU3hJSvSJv 1457.89 LUNA
- QauQooTafdiW2TqoWA4an7owW3fzCDTzWfuDXxDNz2t5eQAVtf2R1QKxBJ1fwB4SFwSme4zNakNzoaRpmSgc5e9 26347 RAY
- zLHjtcwZnGRZfUYqsXF55npe6ebpju2hYfZyPejT8j1dFMuJBu5Q39BPfRgb74z1xtu7wbx6m4EMwZFGLShS8fm 46110 SRM
- 3dVq6Z5kddj51LhPesBz8Un4KD6i7e7MVDDvbLqbnnw93mNwzU1Uh34kS8v38g5MCp9MqmaU33yMyXwKD1Er6D2g 830270 SBR
These transfers total over $4m USD at the time of the rug.
Where the funds go next:
8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy sells everything into soETH and sends 664 soETH to FBUK (sollet bridge) to https://etherscan.io/address/0xc5afc6c1d4002dc9bc765542a17bb0fc49044ec5 on ETH:
Various trades into soETH: https://solscan.io/account/8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy#splTransfers
Send to 664 soETH (~1.6M USD) to FBUK: https://solscan.io/tx/5MvryVouh6w3QHrUBXaM9AWHUifqiVyDjKTVQJJr4ZLdiYbpDojBaQ81aTvHJZVWvcyRBHHAzLUaWauXGuN7TMU8 at January 23, 2022 04:55:38 AM +UTC
Arrival: 664.86 soETH from Sollet bridge into Eth:
D6RBPLyUYhUE98rWZrewSkpmSDLypGRoGV4EqvGKkvym receives USDC and USDT and sends them to FBUK (sollet bridge) to 0x1e669254badd2866b217983d6a2fcbbf07d66ff7 on ETH
59M (of 100M circulating supply of FIRE) sent out, still sitting there:
Thief Eth account — Gas Funding
https://etherscan.io/address/0xe8032c0270164819bbee809324e09d899cc97f18 funds both 0xc5afc6c1d4002dc9bc765542a17bb0fc49044ec5 and 0x1e669254badd2866b217983d6a2fcbbf07d66ff7 for gas.
This account itself was funded via Tornado cash so tracing is difficult if not impossible.
Thief Sol account — Gas Funding
- 2ojv (Binance hot wallet) funds BZCD
- BZCD sends USDC and a lil bit of SOL to 95E3
- 95E3 funds D6RB (bad guy 1) and 8Xny (bad guy 2), each via a single intermediary
- So Exchange 2ojv can identify the bad guy by identifying BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR
2ojv9BAiHUrvsm9gxDe7fJSzbNZSJcxZvf8dqmWGHG8S (Binance hot wallet) funds BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR: https://solscan.io/tx/2DeEJYwWiCsZPgoo3nYLAAJw5FmRoXjrYpvo5th32bFHVAetkunExfJJMaMQLTohG4GFNLPvE7sTfcFFous7qA3k
BZCDVsp7tVsGiKNHrJfxfSXXNikLdBaXkJs7kfSTr1GR to 95E3mb4KVH69YoovZbz9mkyghkVyyb4zGeY2LGfTkuHa, mostly sending USDC, had to send a bit of SOL: https://solscan.io/tx/5cbfhNQ62whEmGmUXMYtvm91d8FXZivM3pMBBFwE1fbTEhKJ6rL2SuNoTCtdhCwu4Ci4CXFe1mSgB73hR9qiukQQ
95E3mb4KVH69YoovZbz9mkyghkVyyb4zGeY2LGfTkuHa to F2htj6PFbBTgWtsCEnzPz1w7jeJ1Gx3WTNRmgmwMqRGR: https://solscan.io/tx/3NDExawaZJw8kc4pEVcjFDTP3UPaGkmVbWusUBpCtrjjr2LsVKERVPydQSzew2uVEzVFmkxfZN9CNVRc9yaMvan6 for 1 SOL
F2htj6PFbBTgWtsCEnzPz1w7jeJ1Gx3WTNRmgmwMqRGR to D6RBPLyUYhUE98rWZrewSkpmSDLypGRoGV4EqvGKkvym (bad guy 1) https://solscan.io/tx/3WAtK7toPpLyt5vyBQa81GiCo1CpTEnapEuvjEWbPsVw3w7r3yB1cFUbiXgLDgasPsqvLG8voXeR78zUsPYv2wch for 0.995 SOL
95E3mb4KVH69YoovZbz9mkyghkVyyb4zGeY2LGfTkuHa to 9UocrchkPQHKpnZ65ycMaLjeLdcsFb84vQiXYPjPoUJZ for 1 SOL: https://solscan.io/tx/4DvsMxLnhNpSugu7g2t5vyhu5WdnQGzu84VqBKEDP5nZdDGHktUtGeWC3ooazfMtsAX9DVeZsRh4GKrMGhneDTGe
9UocrchkPQHKpnZ65ycMaLjeLdcsFb84vQiXYPjPoUJZ to 8XnyGsVNGFWQ2UYAzwj8gqJsCETMzmbY6ZFTqHpRWfy (bad guy 2): https://solscan.io/tx/2DhwVWA5g87BmRJz4LzQZAEvA8WbDWbrLZhyCgGy6nTdcBHtdKsouBMzELmpR1PnmivEFTPzu76ZAhgjUJwh4GGL
The USDC-FIRE liquidity pool was drained over the next few days back to some of the initial wallets.
Later on in the day of the rug, the SolFire telegram changed its name to “The Redemption”. The two admins “@kylewebber” and “@satoshimself” both updated their profile description to the same thing:
Later in the day several users received a message from one of the admins admitting the rug pull and asking users to provide a reason to why they should give your money back. Are they trying to pull off some kind of Robin Hood redemption arc? Kind of a sick twist, we’ll see if anyone gets a refund.
The best redemption; however, would be for all the money to be properly returned to the investors and see these people behind bars.
As of this writing there are still funds on Solana wallets at least over $500k USH1A6ViUjVKfDWPd14QxrJEtaxhNBKPB31tZEgJxNoLdX
4QSQiBquEZXhLJNHNR6CjKEFWkgmtfcbTjdqHZgZErLn Can they be frozen and seized?
The half million USD in funds used to initially fund the liquidity pool for SolFire may hold the key to where this started. Are these the same actors as the LunaYield scam months ago? Maybe. Since some of the funds reportedly flow back to a Binance hot wallet, can Binance out the culprit? Very Likely.
How can other projects be vetted better on Solana? Can the community come together here and help with a recovery effort? Perhaps the co-founder of Solana, Anatoly (https://twitter.com/aeyakovenko) can provide some assistance (feel free to tweet this article at him).
Solana has been taking a lot of heat lately for transaction speeds and while some criticism is warranted, I think its largely just the internet hive mind making a big deal about nothing. I am a Solana holder and I really believe in the project, but this elaborate Solana rug pull definitely needs more attention from the top.
Are popular projects such as Larix, PsyOptions or Slope somewhat responsible here? The only reason I invested with SolFire is because I felt comfortable after reading the AMA with Slope and saw the tweets from ProjectLarix and PsyOptions. I think the projects promoting SolFire need to issue a public apology or statement and commit to doing more due diligence on future “partners” otherwise they come across as being complicit in the scam.
I also feel there should be some high level involvement from these projects as well as Solana Labs in order to put together a community discovery and recovery effort here and not just try to sweep this one under the … rug.
Telegram if you’ve been scammed (not mine): https://t.co/SN6tpATvzY
Twitter (not mine): https://twitter.com/RugpullSolfire
Transaction Research (not mine): https://docs.google.com/document/d/1qAhLCxoLcD8PxZSbjyD4aqn0aOKdIKYtrnTgaUGMWHQ/edit#
Donation Wallet (mine): GfRiHuLxTVfDvUmbPAVcz45PNwAa317hBFja1Thve53H