How Filament Finance got exploited of $572k

What Happened?

On April 6, 2025, between 12:00 AM and 4:00 AM UTC, Filament Finance was targeted in a coordinated exploit that resulted in the loss of approximately $572,000 worth of user funds.

The attacker manipulated Filament’s on-chain order book through spoofed order placements and self-liquidation loops, ultimately draining the majority of protocol deposits.
 

TL;DR

• Attack Duration: 4 hours (April 6, 12:00 AM – 4:00 AM UTC)
• Total User Deposits Before Attack: $680,000
• Estimated Loss: ~$572,000
• Method of Exploit: Order book manipulation and liquidation abuse
   

Attack Vector: Order Book Manipulation

The exploit took advantage of the protocol’s thin liquidity and execution logic:

1. The attacker created multiple accounts and began placing large spoof orders (orders that were never intended to be filled) to artificially inflate the price of certain assets.
2. These orders were matched against the attacker’s other accounts, executing trades at manipulated prices. This moved the price in a predictable direction without involving external buyers/sellers.
3. The attacker used inflated prices to open over-leveraged positions using small collateral.
4. When the prices were later manipulated in the opposite direction, these positions became undercollateralized. The attacker used a separate account to trigger self-liquidations at favorable rates, allowing extraction of inflated asset values from the platform.
5. This loop was executed across multiple accounts to repeatedly drain liquidity.

The core issue stemmed from inadequate circuit breakers in the liquidation logic and a lack of guardrails against multi-account manipulation.
 

Exploit Timeline

• 12:00 AM UTC: Initial spoof orders appear on Filament’s order book.
• 12:15 AM UTC: First batch of self-trades executed.
• 12:45 AM UTC: Leveraged positions initiated by the attacker using manipulated prices.
• 1:30 AM UTC: Reverse manipulation begins, triggering cascading liquidations.
• 2:00 AM – 4:00 AM UTC: Multiple cycles of price manipulation and liquidation executed.
• 4:00 AM UTC: Admin keys used to halt trading and withdrawals.

Fund Movement

• Bridge Used: Symbiosis Bridge
• Destination Exchange: FixedFloat

Funds were dispersed across numerous wallets and bridged out shortly after being extracted.
 

Known Attacker Wallets

• 0x6aa5214abb24cf06591900ffc00f5f50dc5fa892
• 0x8f8ab407c1dc380c8302976df184ab3e78ec1c0f
• 0xc3d088dc15a3b01277f301f8b42427bdc3a8ecb7
• 0x2147921681116d2459b5bb105036791cbb0ff58f
• 0xe9c2d7ff6bcc307a229907bb923d1679121b381e
• 0x274011ae1a0fc9b6349ff753f8e2e00367d8dcc6
• 0xb1b2d7b8a308fa85954bfba419400fe52c9ffe9b
• 0xd5140c82d5b4edce7c27e602df6fea4738b91838
• 0x29eb1561d21d6a6609a092ee3ce742062c9745dd
• 0x41df876ee930a76c8145758dcc9b6f53d4c153df
• 0x43c05e6b70184d7757d281ee514ab2b1b90e0cfb
   

Related Transactions (Sei Network Explorer)

Notable hashes include:

• 0x3bc6f9a1d51e1afa57a25de570c3e628de3efe56e4765d2c7d2769f049b2e9dc
• 0x539e0904936a5d7118d4b0e6920754d101c364a337ec83b8d2c811d785a91b14
• 0x5aa38ada9b075f4b4c2b5278459a4b3d345cb58fb0077bea4f8624926295d892
• 0x05aa8e4df48739cf9c4b1ff41aad58bcec02c64e24f74cec2b0c75f8fc15505f
• 0x1e5d05aa56105cd58165715a4b4728c2620da2671ad7dfb64eb1261d3de78f65
• 0x68f634ffddbcf967fb11864f4cbe9e6881565fe8fd5b65786e8787e365de6ba9
• 0xf08a4fc4a5e3a9e29e0964874aa25a3b431466b013462e5c3ba0f6a58a6cbebd
• 0x1304f837793ee2c391b5d924362d4b31eb4de8e98a3d6e5d45dec9e0db22efec
• 0x8b11ba6cb5f00c79c4415d81c264d49f82d39df9c55dd2a1ecac9aa443a0716f
• 0x5e9977c21eb8835b1bcc065cadfb13bf6168e01e4d57135ccda36fb4a220b7ed
• 0x9d5081c5bee53bc96340a1aea30a8dcb65b98cd02a464bc9233af360fa4587f
• 0xb7f01238192b850fcaa8d3544962eef3b5d0bb6ff129bcc78c75156cf88d8af2
• 0xa76f4205fbdad1e963287b5b78a9019b2253e69aa40a3e77991a09ee946469ad
• 0x86840ca6b19fccf0c39376dc498e754552d34c8f45a579af5f096e6557e6819a
• 0x6c2e18581b14ad73811cb27d95a206b6b2129c95c35371ccfe275d001dd27eb4
• 0x7cf43b142339af01422d3ebd925b98c87144817c7643cc3001cb0d51357fedbf
• 0x036f926bac0f242a4d3851f3c1a1a70b7ae7cf244d95500e08c06ddfafba97ae
• 0x0d9e6c4383538748dfef5c0edd973c29ea736988ef3e49461dd29362dcc33a43
• 0x09f92613e62817538626d3fbd069c3a8a6fa86d73604eb8ae3329e1edb367b4a
• 0x27a0be78994ebc8d0a1146ef1e882d1aa47f74b274c51f053a0a213c75784fd1
• 0x5dc2ea836d514838f9340f256e1a203644f766d4e7ce7844135ca793bfabd512
• 0x79ccf4e2eac6175ce77b77402756edd8de6451a99524575bf246d94078308808
• 0x606b40b8efed552b0d29bd984582a95bdc50e7106f548947253946e92300f101
• 0xc044d4260d7bf9bafb246412a1c328da1f2670a1c8a3cafb3f4524c36e10cb4c
• 0x89a776a63d0e457a3b70cc6d3b8efcae3543fd26258dcd8cfc3f0308f947bcb4
   

Immediate Response Actions

• Trading Halted. All trading and withdrawal operations were paused immediately upon detection.
• Filament engaged blockchain forensic partners and law enforcement to aid in tracking and legal escalation.
• All addresses and transaction hashes submitted to authorities.
• Prompt public disclosure of the incident, with contact points for security firms and white hats.

Recovery Efforts

• Filament is offering a 10% bounty for return of 90% of stolen funds. Full immunity and anonymity are guaranteed if cooperation is complete. Contact: admin@filament.finance
• Coordination with ecosystem partners (e.g., bridges, exchanges) is ongoing to freeze or trace funds.
• Post-mortem and architecture reviews are underway to implement:
  • Anti-spoofing mechanisms on order books
  • Per-user liquidation throttles
  • Circuit breakers for abnormal price movements
  • KYC-optional guardrails for fund exits
     

How the attack could have been prevented

The attack was sophisticated in nature and team is working to apply certain changes to the architecture. The reason behind the attack was the vulnerability in how the protocol maps collateral from the liquidated positions. In order to prevent this, the protocol should have differentiated the mappings for active and liquidated collateral which would have prevented collateral to inflate.

Moreover, safety guards should be implemented like halting trading in case of high orderbook imbalances. Also shared liquidity model in this case increased the scope of attack. There should be mechanism to avoid liquidity sharing like reviewing large withdrawals from the pool.
 

Takeaways

This exploit underscores a recurring theme in DeFi: the exploitation of market mechanics, not smart contract bugs.

The protocol's logic behaved as programmed—but its economic design and absence of manipulation protections made it vulnerable.

Protocols must now treat economic exploits as first-class threats—not just coding bugs.

Real-time monitoring, simulation of adversarial behaviors, and rigorous attack modeling should be essential in every protocol's security stack.