After the BTCUSDC plug attack at 2:44 on June 18, 2024, I used the API to capture the transaction records at that time. The screenshot is the order history of the attack BTC

Let me describe what happened:

1. From 35529ms to 35555ms, 26ms, the attacker sold a large number of orders, lowering the price from 66895 to 63689, 200 orders per ms, a total transaction volume of 778btc, and a total average transaction price of 65700

2. The price was quickly manipulated to -5%. This is because Binance has spread protection, and the goal is to trigger stop-loss orders. Then the price fluctuated widely around 66k for tens of seconds and gradually returned to normal. There are usually only a few orders per ms

3. The market recovery process is accompanied by the triggering of a large number of stop-loss orders. Because the mark price has basically not changed, there should be no forced liquidation orders. It is mainly triggered by market stop-loss orders. The market sells 380btc, the average transaction price is 66400, and the market buys 509btc, the average transaction price is 66340

4. The attack may be a loss. Calculated at the market price of 66800, the attacker's selling loss is -824k, the market stop loss selling loss is -152k, the market buy profit is 234k, and the total profit and loss is -742k

5. The whole process is mainly for liquidity providers to make profits, because the price recovers after the flash crash. Whether the attacker makes a profit depends on how much liquidity he occupies in this process

This matter is similar to the on-chain oracle attack, which manipulates prices by making a large number of transactions in ms

It's ridiculous that on the decentralized chain, people try to find the hacker and convict him, while in centralized exchanges, this behavior is tacitly condoned and protected

I don't know if what I see is correct, but if you can't be protected here, the best choice is to leave