Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
According to a BlockSec Phalcon alert, Sharwa.Finance disclosed that it had suffered an attack and subsequently suspended operations. However, several hours later, multiple suspicious transactions occurred again, suggesting that the attacker might have exploited the same underlying vulnerability through slightly different attack paths.In general, the attacker first created a margin account, then used the provided collateral to borrow additional assets through leveraged lending, and finally launched a sandwich attack targeting the swap operations involving the borrowed assets. The root cause appears to lie in the lack of a bankruptcy check in the swap() function of the MarginTrading contract. This function is responsible for swapping borrowed assets from one token (e.g., WBTC) to another (e.g., USDC). It verifies solvency only once — based on the account state at the start of the swap — before executing the asset exchange, leaving room for manipulation during the process.Attacker 1 (address starting with 0xd356) conducted multiple attacks, earning approximately USD 61,000, while Attacker 2 (address starting with 0xaa24) executed a single attack, gaining around USD 85,000. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 146,000.
- chain
- —
- protocol
- Sharwa.Finance
- bug_class
- logic
- date_occurred
- 2025-10-20
- loss_usd
- $146,000
- source_id
- sm:sharwa-finance::2025-10-20