On October 20, 2025, Sharwa Finance, a lending protocol operating on the Arbitrum network, fell victim to a sophisticated price manipulation exploit that drained approximately $147,000 from its liquidity pools. The attack highlights the persistent vulnerabilities in DeFi protocols that rely on external price feeds without adequate safeguards, a lesson the industry continues to learn the hard way.
The Exploit Mechanics
The attacker executed a classic atomic sandwich attack exploiting Sharwa Finance’s reliance on Uniswap V3 quoter prices for position closures. Funded through Tornado Cash and bridged from Ethereum mainnet to Arbitrum, the attacker deployed a custom exploit contract to carry out the heist in just two transactions.
In the first transaction, the attacker created a margin account with a BTC long position by depositing 2,000 USDC and borrowing approximately 40,000 USDC to purchase Bitcoin. The second transaction contained the actual sandwich: the attacker first swapped a large amount of BTC to USDC to crash the price on Uniswap V3, then immediately closed the long position. Because Sharwa blindly trusted the Uniswap V3 quoter price at that moment, the protocol sold BTC at the manipulated, artificially low price, creating bad debt. The attacker then swapped USDC back to BTC to complete the profitable sandwich cycle.
Affected Systems
The exploit targeted Sharwa Finance’s lending and margin trading system on Arbitrum, specifically its USDC and WBTC liquidity pools. The vulnerability lay in the protocol’s price oracle implementation — rather than using a time-weighted average price (TWAP) or a decentralized oracle network like Chainlink, Sharwa relied on direct Uniswap V3 spot quotes. This architectural decision left the protocol exposed to flash-price manipulation within a single atomic transaction block.
On-chain data reveals the attacker was funded through Tornado Cash, a privacy tool frequently used by exploiters to obscure the origin of their capital. The stolen funds were subsequently moved through cross-chain bridges to further obscure the trail.
The Mitigation Strategy
Following the exploit, Sharwa Finance committed to 100% refunds for all affected users. Approximately $40,000 of the stolen funds — about 27.2% — were recovered with assistance from Binance, which helped trace and freeze a portion of the laundered assets. The protocol’s team also pledged to overhaul its oracle infrastructure before resuming operations.
The core fix requires implementing time-weighted average price feeds instead of instantaneous spot prices, which dramatically reduces the feasibility of atomic manipulation attacks. Additional safeguards such as circuit breakers that detect abnormal price swings within a single block, and delays on large position closures, can provide further protection layers.
Lessons Learned
The Sharwa Finance incident joins a growing list of DeFi exploits in 2025 driven by inadequate oracle implementations. While Uniswap V3 is an excellent decentralized exchange, its spot prices were never designed to serve as standalone price oracles for lending protocols. The temptation to use them directly saves development time and gas costs but introduces a critical attack surface that sophisticated attackers can and will exploit.
Protocols handling user funds must treat price feed security with the same rigor as access control and reentrancy protection. Using decentralized oracle networks with manipulation-resistant aggregation, implementing TWAPs with appropriate lookback windows, and establishing maximum price deviation thresholds per block are no longer optional — they are baseline requirements for any lending or margin protocol.
User Action Required
Users who had funds deposited in Sharwa Finance should monitor the protocol’s official communication channels for refund procedures. If you interacted with the protocol around October 20, 2025, review your wallet for any unauthorized transactions. Going forward, before depositing funds into any lending or margin protocol, verify that it uses robust oracle infrastructure — ideally Chainlink or a similar manipulation-resistant feed — rather than relying on single-source DEX price quotes.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before interacting with any DeFi protocol.
relying on Uniswap V3 spot quotes without TWAP in 2025 is negligence. the sandwich attack playbook has been public for years
twap_or_die spot on. uniswap v3 quoter as your only oracle in 2025 is asking for the sandwich
Interesting perspective — I hadn’t considered that angle before
two transactions and 147K gone. funded through Tornado Cash as usual. the privacy tools debate gets harder when every exploit uses the same mixer
priya right, funded through tornado and bridged from mainnet. same playbook every single time
every exploit routes through Tornado Cash and every discussion turns into a privacy debate. the tool exists for both use cases unfortunately
twap_or_die literally this. spot price oracle with no time delay is asking to get sandwiched. basic DeFi security 101
spot price from a single pool with no delay is a standing invitation for sandwich attacks. TWAP has been standard since 2021, skipping it is pure negligence
Education is still the biggest barrier to mainstream adoption
The fundamental value proposition of crypto keeps getting stronger
This is exactly the kind of development the space needs
2000 usdc in, 40000 borrowed, 147k drained in two txs. the leverage on that sandwich was nasty