How Attackers Manipulated Filament Finance & Stole $572k?

What Happened?

On April 6, 2025, between 12:00 AM and 4:00 AM UTC, Filament Finance was targeted in a coordinated exploit that resulted in the loss of approximately $572,000 worth of user funds.

The attacker manipulated Filament’s on-chain order book through spoofed order placements and self-liquidation loops, ultimately draining the majority of protocol deposits.

TL;DR

• Attack Duration: 4 hours (April 6, 12:00 AM — 4:00 AM UTC)
• Total User Deposits Before Attack: $680,000
• Estimated Loss: ~$572,000
• Method of Exploit: Order book manipulation and liquidation abuse

Attack Vector: Order Book Manipulation

The exploit took advantage of the protocol’s thin liquidity and execution logic:

1. The attacker created multiple accounts and began placing large spoof orders (orders that were never intended to be filled) to artificially inflate the price of certain assets.
2. These orders were matched against the attacker’s other accounts, executing trades at manipulated prices. This moved the price in a predictable direction without involving external buyers/sellers.
3. The attacker used inflated prices to open over-leveraged positions using small collateral.
4. When the prices were later manipulated in the opposite direction, these positions became undercollateralized. The attacker used a separate account to trigger self-liquidations at favorable rates, allowing extraction of inflated asset values from the platform.
5. This loop was executed across multiple accounts to repeatedly drain liquidity.

The core issue stemmed from inadequate circuit breakers in the liquidation logic and a lack of guardrails against multi-account manipulation.

Exploit Timeline

• 12:00 AM UTC: Initial spoof orders appear on Filament’s order book.
• 12:15 AM UTC: First batch of self-trades executed.
• 12:45 AM UTC: Leveraged positions initiated by the attacker using manipulated prices.
• 1:30 AM UTC: Reverse manipulation begins, triggering cascading liquidations.
• 2:00 AM — 4:00 AM UTC: Multiple cycles of price manipulation and liquidation executed.
• 4:00 AM UTC: Admin keys used to halt trading and withdrawals.

Fund Movement

• Bridge Used: Symbiosis Bridge
• Destination Exchange: FixedFloat

Funds were dispersed across numerous wallets and bridged out shortly after being extracted.

Known Attacker Wallets

• 0x6aa5214abb24cf06591900ffc00f5f50dc5fa892
• 0x8f8ab407c1dc380c8302976df184ab3e78ec1c0f
• 0xc3d088dc15a3b01277f301f8b42427bdc3a8ecb7
• 0x2147921681116d2459b5bb105036791cbb0ff58f
• 0xe9c2d7ff6bcc307a229907bb923d1679121b381e
• 0x274011ae1a0fc9b6349ff753f8e2e00367d8dcc6
• 0xb1b2d7b8a308fa85954bfba419400fe52c9ffe9b
• 0xd5140c82d5b4edce7c27e602df6fea4738b91838
• 0x29eb1561d21d6a6609a092ee3ce742062c9745dd
• 0x41df876ee930a76c8145758dcc9b6f53d4c153df
• 0x43c05e6b70184d7757d281ee514ab2b1b90e0cfb

Related Transactions (Sei Network Explorer)

Notable hashes include:

• 0x3bc6f9a1d51e1afa57a25de570c3e628de3efe56e4765d2c7d2769f049b2e9dc
• 0x539e0904936a5d7118d4b0e6920754d101c364a337ec83b8d2c811d785a91b14
• 0x5aa38ada9b075f4b4c2b5278459a4b3d345cb58fb0077bea4f8624926295d892
• 0x05aa8e4df48739cf9c4b1ff41aad58bcec02c64e24f74cec2b0c75f8fc15505f
• 0x1e5d05aa56105cd58165715a4b4728c2620da2671ad7dfb64eb1261d3de78f65
• 0x68f634ffddbcf967fb11864f4cbe9e6881565fe8fd5b65786e8787e365de6ba9
• 0xf08a4fc4a5e3a9e29e0964874aa25a3b431466b013462e5c3ba0f6a58a6cbebd
• 0x1304f837793ee2c391b5d924362d4b31eb4de8e98a3d6e5d45dec9e0db22efec
• 0x8b11ba6cb5f00c79c4415d81c264d49f82d39df9c55dd2a1ecac9aa443a0716f
• 0x5e9977c21eb8835b1bcc065cadfb13bf6168e01e4d57135ccda36fb4a220b7ed
• 0x9d5081c5bee53bc96340a1aea30a8dcb65b98cd02a464bc9233af360fa4587f
• 0xb7f01238192b850fcaa8d3544962eef3b5d0bb6ff129bcc78c75156cf88d8af2
• 0xa76f4205fbdad1e963287b5b78a9019b2253e69aa40a3e77991a09ee946469ad
• 0x86840ca6b19fccf0c39376dc498e754552d34c8f45a579af5f096e6557e6819a
• 0x6c2e18581b14ad73811cb27d95a206b6b2129c95c35371ccfe275d001dd27eb4
• 0x7cf43b142339af01422d3ebd925b98c87144817c7643cc3001cb0d51357fedbf
• 0x036f926bac0f242a4d3851f3c1a1a70b7ae7cf244d95500e08c06ddfafba97ae
• 0x0d9e6c4383538748dfef5c0edd973c29ea736988ef3e49461dd29362dcc33a43
• 0x09f92613e62817538626d3fbd069c3a8a6fa86d73604eb8ae3329e1edb367b4a
• 0x27a0be78994ebc8d0a1146ef1e882d1aa47f74b274c51f053a0a213c75784fd1
• 0x5dc2ea836d514838f9340f256e1a203644f766d4e7ce7844135ca793bfabd512
• 0x79ccf4e2eac6175ce77b77402756edd8de6451a99524575bf246d94078308808
• 0x606b40b8efed552b0d29bd984582a95bdc50e7106f548947253946e92300f101
• 0xc044d4260d7bf9bafb246412a1c328da1f2670a1c8a3cafb3f4524c36e10cb4c
• 0x89a776a63d0e457a3b70cc6d3b8efcae3543fd26258dcd8cfc3f0308f947bcb4

Immediate Response Actions

• Trading Halted. All trading and withdrawal operations were paused immediately upon detection.
• Filament engaged blockchain forensic partners and law enforcement to aid in tracking and legal escalation.
• All addresses and transaction hashes submitted to authorities.
• Prompt public disclosure of the incident, with contact points for security firms and white hats.

Recovery Efforts

• Filament is offering a 10% bounty for return of 90% of stolen funds. Full immunity and anonymity are guaranteed if cooperation is complete. Contact: admin@filament.finance
• Coordination with ecosystem partners (e.g., bridges, exchanges) is ongoing to freeze or trace funds.
• Post-mortem and architecture reviews are underway to implement:
• Anti-spoofing mechanisms on order books
• Per-user liquidation throttles
• Circuit breakers for abnormal price movements
• KYC-optional guardrails for fund exits

Takeaways

This exploit underscores a recurring theme in DeFi: the exploitation of market mechanics, not smart contract bugs.

The protocol’s logic behaved as programmed — but its economic design and absence of manipulation protections made it vulnerable.

Protocols must now treat economic exploits as first-class threats — not just coding bugs.

Real-time monitoring, simulation of adversarial behaviors, and rigorous attack modeling should be essential in every protocol’s security stack.