Was the October 11th crash the result of a targeted attack?

Original Title: "Was the October 11th Crash a Targeted Attack?"

Original Author: Aussie Master, Crypto KOL

These past few days, as I was writing my post about liquidation, I couldn't help but ponder this question, because in the face of such a massive liquidation, who was the biggest beneficiary in the end? How much did they earn?

Today, @yq_acc's post helped me rethink the logic by neatly laying out the timeline.

After chatting with her, I discovered that many coincidences stacked together make this crash appear somewhat strange. The more I look at it, the more it resembles a carefully planned targeted attack, similar to what was seen during the previous LUNA collapse.

-- Targeting systemic risk accumulation, gently nudging at vulnerabilities

YQ's post is lengthy, so I'll briefly mention a few details and my own speculations to see what exactly happened:

The catalyst for this major crash lies in three tokens — USDe, WBETH, and BnSOL, with the latter two using spot prices for their oracles. However, for assets with low liquidity, spot prices can be easily manipulated. Binance had also recognized the risk beforehand and announced a plan to change the oracle on the 14th day (later revised to the 11th day).

The attack then happened just before the oracle update, capitalizing on the vulnerability of the oracle not being updated, leading to a second wave of complete collapse.

Next, let's see how the attack unfolded:

First was USDe, where during the attack (5:43 am), an instant $60 million spot sell-off occurred. The attacker must have gradually accumulated enough chips over time and then dumped them all at once. The lack of spot liquidity for USDe was insufficient to withstand the initial shock, resulting in the first de-pegging.

By 5:44, USDe plummeted to a low of $0.89, causing the value of positions collateralized by USDe to rapidly drop, triggering margin calls.

Due to Binance's unified margin system allowing for cross-asset collateralization, this led to the forced liquidation of wBETH and BNSOL positions. The manipulated liquidations in the poor liquidity of wBETH and BNSOL (with wBETH's average daily trading depth at only about 2,000 ETH) caused a temporary de-pegging of over 20% in their spot prices. Meanwhile, Binance's collateral value oracle still relied on spot prices, causing the collateral to shrink drastically, triggering a violent market liquidation.

Then the recursive settlement loop began (BN crashed due to a short-term traffic explosion):

Users employing a yield farming strategy (staking ETH/SOL → minting wBETH/BNSOL → borrowing USDT → swapping for USDe) faced a complete account liquidation. When USDe deviated from its peg, causing the collateral ratio to fall below the 91% threshold, the system automatically liquidated all assets, further intensifying selling pressure on wBETH/BNSOL.

Ultimately reaching the peak of the deviation: USDe 0.65 wBETH dropped to $430, and BNSOL dropped to $34.90.

Why I Suspect a Targeted Attack:

Coincidence One: The attack occurred just before Binance announced fixes for two key assets (BNSOL and wBETH) regarding a oracle vulnerability.

Coincidence Two: The attacker instantly dumped up to $60M of USDE spot, disregarding any slippage loss from such a sale, which is highly unusual.

To be honest, instances of such oracle attacks triggering cascading liquidations for profit occurred many times during the previous DeFi summer. However, this time, it may be that Binance's size was too massive, and there was no flash loan assistance to leverage, forcing the attacker to spend a significant amount of time and money on preparation.

The potential profit for the attacker, as speculated by @yq_acc, is close to my previous post:

· Potential Short Profit: $3-4 billion
· Assets Accumulated at Inadequate Prices: $4-6 billion
· Cross-Exchange Arbitrage: $1-2 billion
· Potential Total Profit: $8-12 billion

Perhaps the largest profit from an attack in recent years?

If Binance wanted to, they could probably use KYC to identify the attacker's identity in the early morning (although it could be a false identity). Morally speaking, the attacker is not committing a crime but rather exploiting a loophole in the rules by triggering the biggest avalanche in crypto history with a small snowball.

Can they be convicted? I cannot say.

I suggest @cz_binance @heyibinance @binance look into this to see if what I'm saying makes sense. Also, I recommend checking out YQ's original article when you have time; the timeline presented is excellent, and it includes the MM's retreat time, providing a different perspective on why Binance's on-platform spot was lower than other exchanges, as Binance's on-platform MM suffered heavy losses and had to retreat for safety during the disaster.

Original Post Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia