PANews reported on October 20th that Sharwa.Finance disclosed an attack and subsequent suspension of operations, according to a BlockSec Phalcon alert. However, several suspicious transactions occurred hours later, likely exploiting the same underlying vulnerability through a slightly different attack path. Overall, the attacker first created a margin account, then used the provided collateral to borrow additional assets through leveraged lending, and finally launched a "sandwich attack" targeting swap operations involving the borrowed assets. The root cause appears to be a missing bankruptcy check in the swap() function of the MarginTrading contract, which is used to swap borrowed assets from one token (such as WBTC) to another (such as USDC). This function only verifies solvency based on the account's state at the time the swap begins, before executing the asset swap. This leaves room for manipulation. Attacker 1 (beginning with 0xd356) conducted multiple attacks, profiting approximately $61,000. Attacker 2 (beginning with 0xaa24) conducted a single attack, profiting approximately $85,000.PANews reported on October 20th that Sharwa.Finance disclosed an attack and subsequent suspension of operations, according to a BlockSec Phalcon alert. However, several suspicious transactions occurred hours later, likely exploiting the same underlying vulnerability through a slightly different attack path. Overall, the attacker first created a margin account, then used the provided collateral to borrow additional assets through leveraged lending, and finally launched a "sandwich attack" targeting swap operations involving the borrowed assets. The root cause appears to be a missing bankruptcy check in the swap() function of the MarginTrading contract, which is used to swap borrowed assets from one token (such as WBTC) to another (such as USDC). This function only verifies solvency based on the account's state at the time the swap begins, before executing the asset swap. This leaves room for manipulation. Attacker 1 (beginning with 0xd356) conducted multiple attacks, profiting approximately $61,000. Attacker 2 (beginning with 0xaa24) conducted a single attack, profiting approximately $85,000.