Replay of the ACT Flash Crash on Binance: Who’s Manipulating the Market?
Author: @OwenJin12
Translation: WuBlockchain
On April 1st, the price of ACT on Binance suddenly plummeted—dropping over 49% within 30 minutes. Binance’s preliminary investigation showed that three VIP users collectively sold approximately 514,000 USDT worth of ACT in a short span of time via cross-selling. Additionally, a non-VIP user transferred in about 540,000 USDT of ACT from another platform and sold it, triggering a price drop, liquidating some users’ futures positions, and causing contagion to other tokens. Binance has found no evidence of a single account making large profits and confirmed that it did not proactively reduce any users’ positions.
Conclusion:In my view, this wasn’t a deliberate price smash orchestrated by Binance & Wintermute. Instead, there appears to have been abnormal positions held by unidentified users. As risk controls tightened, someone “lit the fuse” early. Binance’s insurance fund actually took a hit of around $2 million.
Unusually Frequent Risk Control Adjustments
According to standard risk limit management practices, futures contracts’ risk limits are typically adjusted based on trading volume, depth, and other data. The risk limits must align with contract performance—otherwise, when open interest (OI) becomes large, the index and mark prices become vulnerable to spot price manipulation or even targeted liquidations.
From the end of March, Binance made three consecutive adjustments to the ACT contract’s risk limits:
• March 28: Max leverage reduced from 25x to 10x
https://www.binance.com/en/support/announcement/detail/70c0260ac77048e2895689425b1fac00
• March 31: Max position reduced from 9M to 4.5M
https://www.binance.com/en/support/announcement/detail/58eeefd68e444555a368118760f93d30
• April 1: Max position further reduced from 4.5M to 3.5M
https://www.binance.com/en/support/announcement/detail/4d5f22d4048345d4b7cbb7920d2af2ee
From a risk control perspective, this is not a normal adjustment frequency. Most adjustments are typically made in one go. It would have been possible to directly adjust the maximum leverage to 10x and the maximum position to 3.5M on March 28. During these four days, there was no significant change in ACT contract trading volume, depth, or other data, yet the trading risk control rules were modified gradually—if this wasn’t a “mistake by an intern,” it more likely suggests that the trading risk control team identified the presence of an “abnormal user” on this contract and used the risk control rules to guide the user into unwinding a dangerous position.
Beyond what’s stated in the announcement, if we look at the ACT insurance fund, we can also see further action taken from a risk control standpoint—the ACT insurance fund was changed from a shared pool to a separate 5M position after March 28.
The contract’s insurance fund is one of the essential infrastructures that ensures normal trading operations. Simply put, the exchange pre-deposits a portion of funds as the base capital to serve as the insurance fund:
1. When a user’s position is forcefully liquidated and incurs a loss beyond the bankruptcy price (i.e., the actual liquidation price is worse than the bankruptcy price), the resulting deficit—where the user technically owes the exchange money—is not borne by the user but is instead covered by the insurance fund.
2. Conversely, when a forced liquidation does not lead to a shortfall and there is some surplus, that surplus is transferred to the insurance fund to offset future liquidation losses.
3. In extreme cases, if the insurance fund suffers rapid losses or even becomes depleted, user positions will enter the ADL (Auto-Deleveraging) mechanism and be matched with opposing positions.
You can view Binance’s contract insurance fund balance here:
https://www.binance.com/en/futures/funding-history/perpetual/insurance-fund-history
And the rules regarding Binance’s insurance fund are available here:
https://www.binance.com/zh-CN/support/faq/detail/360033525371
Therefore, the conclusion is quite clear: an unverified and uncontacted user (or perhaps contacted but uncooperative?) had accumulated a large position on the ACT contract. As market conditions deteriorated and liquidity thinned, the user’s position posed a liquidation risk that could result in a shortfall—leading to losses for the insurance fund and negatively impacting the overall trading experience for all ACT users. To prevent this “abnormal position” from potentially manipulating the market in the future, the risk control team implemented a series of guided interventions over a short period.
How do we define an “abnormal user” or “abnormal position”?
The following is a logical inference based on publicly available information:
1. This user is not one of Binance’s main contract market makers.
If they were an internal market maker for Binance, they could gradually reduce their position on their own without requiring frequent public announcements or short-term adjustments to risk control rules.
2. This user is not a liquidity market maker officially invited by ACT.
If the user were a third-party market maker like Wintermute, the exchange would typically communicate directly with top position holders on a 1-on-1 basis before adjusting maximum position limits—rather than triggering an emergency liquidation situation like this. In this case, the announcement was made at 15:32, the risk limit took effect at 18:30, and the price drop occurred at 18:32. A normal market maker would have proactively reduced their position between 15:32 and 18:30.
3.This user’s position is already large enough to pose a threat to the insurance fund, far exceeding the ±N% depth of the opposing order book, otherwise there would be no need for an adjustment (this N depends on the exchange’s internal strategy).
In general, when trading risk control discovers such an abnormal position, it will try to avoid obvious impact on investors, which is why adjustments are made in batches. For example:
ABC spot trading volume is only 2M, ±50% depth is only 1M. When the market is good, contract demand is strong, so a maximum position of 100M is provided. During this period, one user quietly accumulates an 80M contract position. When the market worsens and depth decreases, in order to reduce risk and minimize market impact, the maximum position is definitely adjusted step-by-step:
First from 100M down to 80M,
Second from 80M down to 60M,
Third from 60M down to 40M,
Fourth from 40M down to 10M,
and so on, to guide the “abnormal user” to gradually unwind the position.
If it were directly reduced from 100M to 10M, the user would crash the market during the first adjustment.
Possible Motives
1. First possibility — Controlling the contract mark price via low market cap spot
Similar to Hyperliquid & JELLYJELLY, where spot liquidity is thin and the contract accumulates high OI, it may be a trading strategy similar to the one used on the JELLY contract on Hyperliquid that aims to attack the insurance fund. Another profitable position might be opened on a different exchange.
Of course, it could also be purely coincidental. But considering that Hyperliquid Vaults have already been attacked frequently, I personally think it might not be a coincidence, and instead, a team may be attempting to manipulate low market cap contracts with thin depth. After being discovered by Binance, the risk control rules were used in advance to “squeeze the bubble.”
This kind of strategy has already been written about many times, so I won’t repeat it here. But the typical characteristics of this trading strategy are:
① Low market cap, limited USDT funds used for manipulation;
② The manipulation period maintains a negative funding rate.
It’s unclear whether this “abnormal user” intended to carry out this strategy, but judging from the order book before the risk control rules “squeezed the bubble,” we didn’t observe the above characteristics—leading to a second possibility.
2. Second possibility — Spoofing & Ignition
ACT is not a typical low market cap contract case we’ve seen before—in fact, before the drop, ACT was a mid-cap contract with a 200M fully circulating supply. Manipulating the spot order book of a contract of this size would require significantly more capital than the previously mentioned 10M-level low market cap contracts.
Based on the spot & contract order book data at the time, it’s also possible that the “abnormal user” had been accumulating positions in both the spot and futures markets, and when faced with tighter risk control, they temporarily initiated a spoofing + ignition momentum strategy:
① Spoofing:
This was discussed in the second article of the contract series—spoofing refers to placing and frequently canceling large orders to mislead the behavior of other participants.
Since most of today’s financial trading volume is executed by liquidity market makers and professional users’ algorithmic strategies, “algorithms” have instead become the main contributors to market trading volume and order book activity. Although each firm has its own secret sauce when it comes to algorithms, the factors they choose tend to be quite similar, such as order book depth difference within ±N%, or trading volume increasing 5 times above the average level of the past N days—these are examples of order book and volume-related factors.
When retail participation in the market is low and the majority of trading volume is driven by “algorithms,” a whale can deliberately manipulate the order book to train these “algorithms” into becoming their own “herd,” while they themselves act as the “shepherd.” For example, repeatedly placing large sell orders can cause some of the buy orders to cancel, then using small market sell orders in a thin order book to trigger a price drop. The algorithms follow suit, and the whale then withdraws their sell orders and opens long positions at a low price—thus achieving the goal of accumulating at the bottom.
Spoofing sounds mysterious, but it’s a real phenomenon in financial markets, and there have been multiple penalty cases. If you’re interested, you can look up the 2016 Michael Coscia case, who was sentenced to 3 years for spoofing:
② Momentum Ignition Trading
This is commonly seen in the commodity futures market, in trading products where candlestick moving averages converge at key levels. On one hand, this indicates a balance between long and short positions; on the other hand, it shows that neither side has the strength to break through in a low-liquidity environment. When such a product loses attention and depth weakens at a key level, traders often deliberately launch attacks—using market orders at moments of thin liquidity, combined with news, to break through key levels. Retail traders may follow the news and go short, and some algorithms may also reverse their trading direction due to spoofing or changes in their selected factors.
In fact, ACT traded within a narrow range of 0.18 ± 0.02 almost the entire time between March 2 and April 2. On the 4-hour chart, the moving averages had already converged, placing it at a key technical level—what comes next is a breakout with volume. Whether it breaks upward or downward, a strong trend is likely to follow.
Looking back at that time, at 18:32, a 1M market sell order appeared on ACT’s Binance spot order book, and a 63M market sell order appeared on the contract order book—both far exceeding the usual market order taker volume seen in recent trading days. At the same time, the depth of both the spot and contract order books changed significantly at 18:32. Although we cannot know the exact details of each algorithm, this market sell order from the “abnormal user” did indeed trigger a collective cancellation of algorithmic orders that were previously placed. By comparing before and after 18:32, we can clearly see a change in the depth structure (here, coin-denominated depth was used to eliminate the impact of price changes on depth).
The abnormal market sell order and the withdrawal of algorithmic limit orders caused the price drop to be very smooth, and retail traders also joined the short side following the news.
Common Handling Methods
Based on the above information, I personally believe that neither Binance nor Wintermute deliberately crashed the market. The market sell order at 18:32 triggered a 40% price drop, and a 40% price spread per minute would definitely cause forced liquidation settlements to go beyond the bankruptcy price. This kind of crash is a loss-making move that would result in losses for the insurance fund and liquidity market makers, so neither of them has the motivation to do this.
In fact, from the insurance fund data, we can see that on April 1, Binance’s insurance fund balance for ACT decreased by 2M (due to liquidation beyond the bankruptcy price).
This type of attack was also very common in the previous bear market. On the trading side, both spot and futures are usually monitored simultaneously to detect abnormal trading behavior:
① Spot: For large holders, if a single taker order is smaller than N% of the opposing depth, the excess quantity cannot be executed, to prevent the taker from crashing the market too quickly and dragging down the contract mark price—or to guide the user toward OTC trading;
② Futures: Based on spot depth and futures trading volume, perform refined management of futures risk limits — “squeezing the bubble”;
③ Spoofing: For whales with very large positions, if they frequently place and cancel orders, then limit their order frequency, or charge a fee for each order even if it’s not filled, to increase the cost of intimidating the market with large orders. Of course, the most direct method is still to guide them to OTC trading.
It’s once again the time when poor market conditions test the strength of risk control teams~ In past bear markets, professional attackers often targeted exchange insurance funds and cross-chain bridge custody funds. Only those exchanges with strong risk control expertise survive! Judging from the current situation, it’s definitely stronger than Hyperliquid’s risk control.
Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish