QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$12 053 000 USD
MAY 2025
GLOBAL
CORK PROTOCOL
DESCRIPTION OF EVENTS
Cork offers a DeFi protocol designed to tokenize and manage the risk of depeg events involving stablecoins and liquid (re)staking tokens. It introduces a new class of financial instruments—Depeg Swaps and Cover Tokens—that allow users to hedge, trade, and earn from market exposure to pegged asset volatility. This innovation addresses a key gap in the onchain asset ecosystem, where there was previously no way to price or mitigate the risk of depegging—events where assets like stablecoins diverge from their target value.
Each Cork market consists of a pair: a Redemption Asset (RA) and a Pegged Asset (PA), such as ETH and stETH. The protocol’s Peg Stability Module (PSM) mints Depeg Swaps and Cover Tokens, which can be freely traded through an Automated Market Maker (AMM). Depeg Swaps provide protection if a depeg occurs, while Cover Tokens offer fixed yields if the asset remains stable. The system is designed to be fully collateralized, permissionless, and secure—audited to ensure trust.
Beyond individual trading, Cork enables asset issuers and DeFi protocols to open custom markets and integrate with the platform for broader risk management. Liquidity providers can earn from risk premiums and fees through Cork Vaults, which automatically manage liquidity across market cycles. Ultimately, Cork aims to bring more stability, transparency, and financial opportunity to DeFi by creating a robust infrastructure for tokenized risk.
The Cork Protocol had two key vulnerabilities in its smart contract design. First, the CorkConfig contract allowed users to create new markets with arbitrary redemption assets (RA) without proper restrictions. This meant one could designate a Depeg Swap (DS) token—normally used as a derivative to hedge depeg risk—as the RA in a custom market.
Second, the beforeSwap function in the CorkHook contract lacked access control and input validation, allowing any user to call it with custom hook data.
By exploiting a Uniswap V4 pool in an unlocked state, the attacker was able to invoke beforeSwap via the pool manager’s unlockCallback, passing malicious data that triggered the CorkCall in a legitimate market. Since the contract blindly trusted this data, the attacker was able to transfer DS tokens from the real market into their custom market and receive both CT and DS tokens in return. They then used these tokens to redeem the original assets, effectively draining liquidity from the legitimate market and resulting in over $12 million in losses.
The first flaw allowed users to create new markets using any token as the Redemption Asset (RA) via the CorkConfig contract, without adequate restrictions. The attacker exploited this by setting a Depeg Swap (DS) token—normally a derivative used to hedge against depeg risk—as the RA in a newly created market. This violated the intended structure of the system, where DS tokens are not meant to serve as collateral or settlement assets.
The second vulnerability lay in the beforeSwap function of the CorkHook contract, which lacked proper access controls. It could be called by any user with arbitrary input data, and the protocol failed to validate the source or the payload. The attacker leveraged this flaw using an unlocked Uniswap V4 pool, taking advantage of the pool manager’s unlockCallback feature to invoke beforeSwap with malicious hook data. This data tricked the protocol into believing that legitimate operations were occurring, allowing the attacker to manipulate how tokens were transferred between markets.
Using these exploits in tandem, the attacker was able to move DS tokens from a legitimate market into the custom, malicious one they created. Once the DS tokens were accepted as the RA in the new market, the attacker received both Cover Tokens (CT) and DS tokens from that market. They then used the Peg Stability Module (PSM) to redeem these tokens for valuable assets.
SlowMist estimated the loss amount at $12m after an initial medium post which simply stated that losses were "over $10 million".
wstETH stands for Wrapped staked Ether, and it is a tokenized version of stETH (staked Ether) from the Lido protocol. stETH is received when users stake ETH through Lido. It represents staked ETH and accrues staking rewards over time, with its balance increasing daily. wstETH is a wrapped version of stETH. Instead of the token balance increasing to reflect rewards (as with stETH), the value of wstETH increases against ETH. This makes wstETH non-rebasing, meaning its balance doesn't change—only its value does.
As a result, the value of 3,761.87795537 wstETH is higher than the market price of $2,682.21 USD/ETH, and losses exceed $10,090,146.67 USD. The closing market price on May 28th of wstETH is $3,204.10 USD/ETH, meaning a better estimate for the loss total would be $12,053,433.16 USD.
Following the exploit on May 28, Cork Protocol quickly acknowledged the incident in an initial post, confirming that the security breach affected the wstETH:weETH market at 11:23 UTC and involved approximately 3,761.8 wstETH. They emphasized that all other markets were unaffected but had been paused as a precautionary measure. Cork stated that they were actively investigating the issue and working with auditors to identify and address the root cause. They also assured the community that a full post-mortem would be published and expressed gratitude to partners and supporters for their patience and assistance.
At the same time, blockchain security firm SlowMist responded rapidly by publishing a detailed analysis of the attack. Their investigation revealed critical vulnerabilities in the Cork protocol’s smart contracts—specifically in how redemption assets could be configured and how the beforeSwap function in the CorkHook contract could be called without proper authorization. SlowMist outlined how these flaws enabled the attacker to manipulate market creation and redeem tokens illegitimately, resulting in losses exceeding $12 million. They also used their MistTrack tool to trace the attacker’s fund movements and provided broader security recommendations to prevent similar exploits in the future.
The ultimate outcome of the Cork Protocol exploit was a significant loss of over $12 million, primarily in wstETH tokens, due to the attacker exploiting vulnerabilities that allowed unauthorized token manipulation and liquidity draining. The attacker successfully converted these stolen tokens into ETH and still holds a large amount of funds in their control.
In response, Cork Protocol paused all other markets to prevent further damage and engaged with auditors and security teams like SlowMist to investigate and resolve the root causes. A full post-mortem report was promised to ensure transparency and guide improvements. The incident highlighted critical weaknesses in access control and asset validation, prompting calls for stricter security measures in the DeFi ecosystem to prevent similar attacks in the future.
Recovery is still yet to be determined.
The investigation and forensic analysis are continuing to trace the full flow and final destination of the stolen funds, as a significant portion of the assets remains in the attacker’s control. Monitoring the attacker’s wallet activity and potential laundering or cash-out attempts is an active process involving blockchain analytics tools.
Cork Protocol and its security partners are working on fixing the vulnerabilities identified in the smart contracts, thoroughly auditing updates, and testing new security measures before resuming operations. This includes strengthening access controls, restricting arbitrary asset configurations, and improving validation mechanisms.
Cork Protocol has committed to publishing a detailed post-mortem report outlining the incident’s cause, impact, and remediation steps, which is pending release. Meanwhile, the protocol’s markets remain paused as the team ensures full resolution and safety for users before reopening.
Cork Protocol is a DeFi platform that enables users to hedge and trade the risk of pegged asset depeg events through novel financial instruments called Depeg Swaps and Cover Tokens, pairing Redemption Assets (RA) with Pegged Assets (PA) via a Peg Stability Module and automated market maker. However, the protocol suffered a major exploit due to two vulnerabilities: the ability to create markets with arbitrary redemption assets—including Depeg Swap tokens—and an unprotected beforeSwap function in CorkHook that could be called with malicious data. An attacker exploited these flaws to drain over $12 million by manipulating token transfers between legitimate and malicious markets. Cork paused all affected markets, engaged security firms like SlowMist for investigation, and is working on fixes and a full post-mortem to restore security and user confidence.
SlowMist - "SlowMist Security Alert We detected potential suspicious activity related to @Corkprotocol." - Twitter/X (May 29)
SlowMist - "On May 28, @Corkprotocol suffered an exploit, resulting in losses exceeding $12 million. According to @SlowMist_Team’s analysis, the root cause lies in two key issues." - Twitter/X (May 29)
Exploit Analysis Cork Protocol Attacked, Over $10 Million Lost - Medium (May 29)
Cork Protocol Homepage (May 29)
What Is Cork - Cork Protocol Docs (May 29)
Cork Protocol Exploit Transaction - Etherscan (May 29)
Cork Protocol Exploiter - Etherscan (May 29)
Ethereum Price History and Historical Data (Dec 21)
wstETH Market Price - CoinMarketCap (May 29)
Cork Protocol - Rekt (May 30)
After the Post-Mortem - Rekt (Jul 3)
Attacker Sends IDM "sherlock missed it. ct > ds. uniswap hook is not problem." - Etherscan (Jul 3)
Attacker's Second Message In Estonian - Etherstan (Jul 3)
Attacker's Third Message In Estonian - Etherstan (Jul 3)
