Sharwa Ephemeral Collateral Exploit

1. Incident Overview TL;DR

SharwaFinance on Arbitrum was exploited through its public one-click margin-trading flow. The attacker created a fresh margin account, deposited 2,200,000,000 raw USDC units, opened a 36,200,000-unit WBTC long, then caused the protocol to mint a temporary ephemeral token that Sharwa valued as if it were real USDC collateral. Because MarginTrading.withdrawERC20 evaluated account health before that temporary token was burned, the attacker withdrew 39,953,190,410 raw USDC units from the victim liquidity pool and left real debt behind. A second transaction used public flash liquidity and public swaps to close the position under manipulated venue conditions, repay only 2,075,724,303 raw USDC units, and realize 30,750,293 raw WBTC units of profit.

2. Key Background

Sharwa's margin system spans MarginTrading at 0xd50Dffb8a9997D1651F3AB67e55a394C81170137, MarginAccount at 0x5c479762c8fe57b6d874893a4b4932b40f612580, ModularSwapRouter at 0xeD5c9c9B9A50C4A82DE3F67045b5fCF07Df138bC, and the USDC LiquidityPool at 0x02434cd23972c82fbabf610d157b41bfb45a45a3. The public one-click output path uses OneClickEphemeralSwapOutput at 0x498e25cdEf28CEA358134a000d420E034513c4F8, which mints ephemeral token 0x6696e9e81491364b5e0027ed045608493072ef87 during swap execution. Sharwa also maps that ephemeral token to EphemeralSwapOutputUSDC at 0x2D818e31DE8554886b8eA7Fc17A215d2f09eA747, which values the token 1:1 as USDC. That design means a transient internal accounting token can influence solvency checks if the check occurs before burn/cleanup.

3. Vulnerability Analysis & Root Cause Summary

The vulnerability is a collateral-accounting failure in a public borrow-and-withdraw path. Sharwa whitelisted a freely mintable ephemeral token as a margin asset and assigned it a valuation module that returns the raw token amount as full USDC value. MarginTrading.prepareTokensParams includes every whitelisted ERC20 balance in the account valuation path, including the ephemeral token balance stored in MarginAccount. MarginTrading.withdrawERC20 and the borrow path both rely on that valuation before the temporary token is removed. OneClickEphemeralSwapOutput.swapOutput mints the ephemeral token, deposits it into the margin account, withdraws real USDC while the fake balance still exists, and only later withdraws and burns the ephemeral token. The protocol therefore accepts fake, non-realizable collateral during the critical health check. The exploit is ACT because the attacker only needed public contract entrypoints, public liquidity, and a fresh helper contract.

4. Detailed Root Cause Analysis

The first exploit transaction is 0xd64729c528e6689cb18b0c90345ab0c9ed18fea44247c89af2f1374643fc89c2. The attacker flow reaches OneClickEphemeralSwapOutput.swapOutput, which mints 39,953,190,410 units of ephemeral token, deposits them into the margin account, then calls the protocol's USDC withdrawal path. The transaction trace shows the exact sequence:

0x498e25cd...::swapOutput(..., 36200000, 39953190410)
  0x6696E9e8...::mintTo(0x498e25cd..., 39953190410)
  0x742b9169...::provideERC20(18, 0x6696E9e8..., 39953190410)
  0x742b9169...::withdrawERC20(18, USDC, 39953190410)

Before the withdrawal completes, the same trace shows MarginTrading reading both the genuine USDC balance and the transient eUSDC balance from the margin account, then valuing the ephemeral token as full USDC:

MarginAccount::getErc20ByContract(18, USDC) -> 42153190410
MarginAccount::getErc20ByContract(18, 0x6696E9e8...) -> 39953190410
0x2D818e31...::getPositionValue(39953190410) -> 39953190410
ModularSwapRouter::calculateTotalPositionValue(...) -> 82106380820

That computed value is large enough for MarginTrading.withdrawERC20 to pass even though the extra 39,953,190,410 units are not independently realizable assets. The same call later removes the fake collateral:

0x6696E9e8...::transfer(0x498e25cd..., 39953190410)
0x6696E9e8...::burnTo(0x498e25cd..., 39953190410)

The balance diff for the first transaction confirms the economic result: the victim pool at 0x02434cd23972c82fbabf610d157b41bfb45a45a3 lost 39,953,190,409 raw USDC units, while the margin account retained 2,200,000,000 raw USDC units and 36,200,000 raw WBTC units.

5. Adversary Flow Analysis

The attacker cluster consisted of EOA 0xd356c82e0c85e1568641d084dbdaf76b8df96c08 and helper contract 0xd9ff21caeeea4329133c98a892db16b42f9baa25. The contract txlist shows 0xd356... deployed 0xd9ff... in transaction 0xa5513dd27ab60992bd7e4725d9aafa21fdff9b21ab0fae7f2379c75abea68325, then used that contract for both exploit transactions.

The first transaction:

1. Created margin account 18.
2. Supplied 2,200,000,000 raw USDC units.
3. Opened a 36,200,000-unit WBTC long.
4. Borrowed and withdrew 39,953,190,410 raw USDC units while transient eUSDC inflated account health.
5. Burned the ephemeral token, leaving the debt behind.

The second transaction 0x9f8b4841f805ec50cc6632068f759216d85633fbbe34afde86b97bbc41c23ead used public flash liquidity and public swaps to close almost the entire WBTC position under manipulated execution conditions. The collected balance diff shows the margin account lost 36,199,999 raw WBTC units, the pool only recovered 2,075,724,302 raw USDC units, and the attacker EOA gained 30,750,293 raw WBTC units.

6. Impact & Losses

The direct victim is the Sharwa USDC liquidity pool at 0x02434cd23972c82fbabf610d157b41bfb45a45a3. Its first-transaction depletion was 39,953,190,409 raw USDC units. The second transaction returned only 2,075,724,302 raw USDC units, leaving a net loss of 37,877,466,107 raw USDC units. The root cause report's profitability section marks the attacker gain at 30,750,293 raw WBTC units, valued at 33,900,478,356 raw USDC units by the same Chainlink-backed pricing used in the exploit flow, for 31,799,478,356 raw USDC units of net profit before gas. The exploit also left the compromised margin account with the seed USDC collateral and the WBTC position body after the vulnerable first transaction, which is the on-chain signature of the accounting failure.

7. References

• Exploit transaction 1: 0xd64729c528e6689cb18b0c90345ab0c9ed18fea44247c89af2f1374643fc89c2
• Exploit transaction 2: 0x9f8b4841f805ec50cc6632068f759216d85633fbbe34afde86b97bbc41c23ead
• Attacker helper deployment: 0xa5513dd27ab60992bd7e4725d9aafa21fdff9b21ab0fae7f2379c75abea68325
• Victim contracts: MarginTrading 0xd50Dffb8a9997D1651F3AB67e55a394C81170137, MarginAccount 0x5c479762c8fe57b6d874893a4b4932b40f612580, LiquidityPool 0x02434cd23972c82fbabf610d157b41bfb45a45a3
• Vulnerable path contracts: OneClickEphemeralSwapOutput 0x498e25cdEf28CEA358134a000d420E034513c4F8, EphemeralERC20Type1 0x6696e9e81491364b5e0027ed045608493072ef87, EphemeralSwapOutputUSDC 0x2D818e31DE8554886b8eA7Fc17A215d2f09eA747
• Primary evidence artifacts: seed traces and balance diffs for both exploit transactions, attacker EOA txlist, attacker contract txlist, and the auditor analysis artifact artifacts/auditor/iter_1/current_analysis_result.json