Cork Protocol Market Manipulation and Liquidity Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Cork Protocol

Cork Protocol is a DeFi platform that enables users to hedge and trade the risk of pegged asset depeg events through novel financial instruments called Depeg Swaps and Cover Tokens, pairing Redemption Assets (RA) with Pegged Assets (PA) via a Peg Stability Module and automated market maker. However, the protocol suffered a major exploit due to two vulnerabilities: the ability to create markets with arbitrary redemption assets—including Depeg Swap tokens—and an unprotected beforeSwap function in CorkHook that could be called with malicious data. An attacker exploited these flaws to drain over $12 million by manipulating token transfers between legitimate and malicious markets. Cork paused all affected markets, engaged security firms like SlowMist for investigation, and is working on fixes and a full post-mortem to restore security and user confidence.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]

About Cork Protocol

Cork offers a DeFi protocol designed to tokenize and manage the risk of depeg events involving stablecoins and liquid (re)staking tokens. It introduces a new class of financial instruments—Depeg Swaps and Cover Tokens—that allow users to hedge, trade, and earn from market exposure to pegged asset volatility. This innovation addresses a key gap in the onchain asset ecosystem, where there was previously no way to price or mitigate the risk of depegging—events where assets like stablecoins diverge from their target value.

Each Cork market consists of a pair: a Redemption Asset (RA) and a Pegged Asset (PA), such as ETH and stETH. The protocol’s Peg Stability Module (PSM) mints Depeg Swaps and Cover Tokens, which can be freely traded through an Automated Market Maker (AMM). Depeg Swaps provide protection if a depeg occurs, while Cover Tokens offer fixed yields if the asset remains stable. The system is designed to be fully collateralized, permissionless, and secure—audited to ensure trust.

Beyond individual trading, Cork enables asset issuers and DeFi protocols to open custom markets and integrate with the platform for broader risk management. Liquidity providers can earn from risk premiums and fees through Cork Vaults, which automatically manage liquidity across market cycles. Ultimately, Cork aims to bring more stability, transparency, and financial opportunity to DeFi by creating a robust infrastructure for tokenized risk.

The Reality

The Cork Protocol had two key vulnerabilities in its smart contract design. First, the CorkConfig contract allowed users to create new markets with arbitrary redemption assets (RA) without proper restrictions. This meant one could designate a Depeg Swap (DS) token—normally used as a derivative to hedge depeg risk—as the RA in a custom market.

Second, the beforeSwap function in the CorkHook contract lacked access control and input validation, allowing any user to call it with custom hook data.

What Happened

Cork Protocol was exploited due to smart contract vulnerabilities, allowing an attacker to manipulate market creation and token redemption mechanisms to steal over $12 million.

Key Event Timeline - Cork Protocol Market Manipulation and Liquidity Exploit
Date Event Description
May 28th, 2025 5:41:35 AM MDT Ethereum Exploit Transaction Occurs The original exploit transaction happens on the Ethereum blockchain.
May 28th, 2025 6:35:00 AM MDT SlowMist Suspicious Activity SlowMist tweets that they have found suspicious activity relating to Cork Protocol.
May 28th, 2025 7:21:00 AM MDT Cork Protocol Initial Post Cork Protocol made an initial post announcing a security incident that occurred at 11:23 UTC, impacting only the wstETH:weETH market. As a precaution, all other markets have been paused, though they remain unaffected. The team is actively investigating and will share updates as more information becomes available, thanking their partners for their support during the process.
May 28th, 2025 1:23:00 PM MDT Cork Protocol Update Posted Cork Protocol publishes an update stating that a security incident occurred at 11:23 UTC, affecting the wstETH:weETH market and involving around 3,761.8 wstETH. The team has paused all other markets as a precaution while working with auditors to investigate and resolve the root cause. An official post-mortem will be released soon, and the team expressed gratitude for the community's support.
May 29th, 2025 8:07:46 AM MDT SlowMist Detailed Analysis Made SlowMist prepares and publishes a detailed walkthrough on Medium that includes a timeline of the Cork Protocol exploit, an overview of Cork’s DeFi mechanism and key components, a technical breakdown of the vulnerability and how it was exploited, and an on-chain analysis tracing the attacker's fund movements using their MistTrack tool. The post also outlines the root causes of the incident, summarizes the attacker’s steps, and provides security recommendations to prevent similar exploits. Additionally, SlowMist highlights its broader role as a blockchain security firm, detailing its services, notable partnerships, and contributions to industry security.
May 29th, 2025 8:46:00 AM MDT SlowMist Posts Tweet Announcement SlowMist posted a high-level analysis of the @Corkprotocol exploit, detailing the technical vulnerabilities that enabled the attack, the method used by the attacker to manipulate the protocol, and the resulting financial impact. Their report highlighted weaknesses in smart contract design, specifically in market creation and function authorization, which allowed unauthorized actions and ultimately led to over $12 million in losses.

Technical Details

By exploiting a Uniswap V4 pool in an unlocked state, the attacker was able to invoke beforeSwap via the pool manager’s unlockCallback, passing malicious data that triggered the CorkCall in a legitimate market. Since the contract blindly trusted this data, the attacker was able to transfer DS tokens from the real market into their custom market and receive both CT and DS tokens in return. They then used these tokens to redeem the original assets, effectively draining liquidity from the legitimate market and resulting in over $12 million in losses.

The first flaw allowed users to create new markets using any token as the Redemption Asset (RA) via the CorkConfig contract, without adequate restrictions. The attacker exploited this by setting a Depeg Swap (DS) token—normally a derivative used to hedge against depeg risk—as the RA in a newly created market. This violated the intended structure of the system, where DS tokens are not meant to serve as collateral or settlement assets.

The second vulnerability lay in the beforeSwap function of the CorkHook contract, which lacked proper access controls. It could be called by any user with arbitrary input data, and the protocol failed to validate the source or the payload. The attacker leveraged this flaw using an unlocked Uniswap V4 pool, taking advantage of the pool manager’s unlockCallback feature to invoke beforeSwap with malicious hook data. This data tricked the protocol into believing that legitimate operations were occurring, allowing the attacker to manipulate how tokens were transferred between markets.

Using these exploits in tandem, the attacker was able to move DS tokens from a legitimate market into the custom, malicious one they created. Once the DS tokens were accepted as the RA in the new market, the attacker received both Cover Tokens (CT) and DS tokens from that market. They then used the Peg Stability Module (PSM) to redeem these tokens for valuable assets.


The attacker provided more detail post-mortem:

It’s time to drop a truly major bomb. Sherlock didn’t miss it. All the firms that published analyses on this issue before the official post-mortem failed to discover the real vulnerability. Dedaub, Three Sigma, Halborn, Blocksec, and many others used the Cork exploit to promote their own brands. They are not recommended. Find their X (Twitter) posts before they delete them.

Even without the Depeg Swap (DS) token, it’s still possible to redeem the Redemption Asset (RA) — the underlying real asset like wstETH or ETH. The Cover Token (CT) is the most important part. So ignore the analyses focused only on the DS. There are many ways to manipulate the DS, not just through the Uniswap hook.

Any party that failed to notice the mistakes related to how the Cover Token (CT) could be exploited should not be trusted.

Total Amount Lost

SlowMist estimated the loss amount at $12m after an initial medium post which simply stated that losses were "over $10 million".

wstETH stands for Wrapped staked Ether, and it is a tokenized version of stETH (staked Ether) from the Lido protocol. stETH is received when users stake ETH through Lido. It represents staked ETH and accrues staking rewards over time, with its balance increasing daily. wstETH is a wrapped version of stETH. Instead of the token balance increasing to reflect rewards (as with stETH), the value of wstETH increases against ETH. This makes wstETH non-rebasing, meaning its balance doesn't change—only its value does.

As a result, the value of 3,761.87795537 wstETH is higher than the market price of $2,682.21 USD/ETH, and losses exceed $10,090,146.67 USD. The closing market price on May 28th of wstETH is $3,204.10 USD/ETH, meaning a better estimate for the loss total would be $12,053,433.16 USD.

The total amount lost has been estimated at $12,053,000 USD.

Immediate Reactions

Following the exploit on May 28, Cork Protocol quickly acknowledged the incident in an initial post, confirming that the security breach affected the wstETH:weETH market at 11:23 UTC and involved approximately 3,761.8 wstETH. They emphasized that all other markets were unaffected but had been paused as a precautionary measure. Cork stated that they were actively investigating the issue and working with auditors to identify and address the root cause. They also assured the community that a full post-mortem would be published and expressed gratitude to partners and supporters for their patience and assistance.

At the same time, blockchain security firm SlowMist responded rapidly by publishing a detailed analysis of the attack. Their investigation revealed critical vulnerabilities in the Cork protocol’s smart contracts—specifically in how redemption assets could be configured and how the beforeSwap function in the CorkHook contract could be called without proper authorization. SlowMist outlined how these flaws enabled the attacker to manipulate market creation and redeem tokens illegitimately, resulting in losses exceeding $12 million. They also used their MistTrack tool to trace the attacker’s fund movements and provided broader security recommendations to prevent similar exploits in the future.

Ultimate Outcome

The ultimate outcome of the Cork Protocol exploit was a significant loss of over $12 million, primarily in wstETH tokens, due to the attacker exploiting vulnerabilities that allowed unauthorized token manipulation and liquidity draining. The attacker successfully converted these stolen tokens into ETH and still holds a large amount of funds in their control.

In response, Cork Protocol paused all other markets to prevent further damage and engaged with auditors and security teams like SlowMist to investigate and resolve the root causes. A full post-mortem report was promised to ensure transparency and guide improvements. The incident highlighted critical weaknesses in access control and asset validation, prompting calls for stricter security measures in the DeFi ecosystem to prevent similar attacks in the future.

The attacker posted a series of messages on the Ethereum blockchain (in a mix of English and Estonian):

"sherlock missed it. ct > ds. uniswap hook is not problem."

"It's time to drop a truly big bomb. Sherlock didn’t miss it. All the firms that wrote analyses on the topic before the official post-mortem failed to discover the real issue. Dedaub, Three Sigma, Halborn, Blocksec, and many others used the Corki issue to promote their brands. They are not recommended. Find them before they delete their X posts. RA can still be taken without DS. CT is the most important. So don’t pay attention to DS’s analysis. There are many ways to take DS, not just the Uniswap hook. Any parties who didn’t notice the mistakes regarding taking CT should not be trusted."

"Well, believe it or not, but when you're sitting on 12 million, you don't want to be annoying. I just hate it when there's an issue with a protocol, and a bunch of security firms write nonsense about the bugs to promote their brands and profit off others' efforts. So you're saying you missed the critical bugs and can only spot minor issues that don't lead to financial loss, Neville Grech? You’d be better off focusing on building products instead of promoting your brands by analyzing bugs you can’t even identify yourself."

There is a direct contradiction with the hacker reporting that Sherlock missed the vulnerability in English, but in Estonian that Sherlock did not miss the vulnerability. It's likely that the Estonian version is a mistake.

Total Amount Recovered

Recovery is still yet to be determined.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

The investigation and forensic analysis are continuing to trace the full flow and final destination of the stolen funds, as a significant portion of the assets remains in the attacker’s control. Monitoring the attacker’s wallet activity and potential laundering or cash-out attempts is an active process involving blockchain analytics tools.

Cork Protocol and its security partners are working on fixing the vulnerabilities identified in the smart contracts, thoroughly auditing updates, and testing new security measures before resuming operations. This includes strengthening access controls, restricting arbitrary asset configurations, and improving validation mechanisms.

Cork Protocol has committed to publishing a detailed post-mortem report outlining the incident’s cause, impact, and remediation steps, which is pending release. Meanwhile, the protocol’s markets remain paused as the team ensures full resolution and safety for users before reopening.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist - "SlowMist Security Alert We detected potential suspicious activity related to @Corkprotocol." - Twitter/X (Accessed May 29, 2025)
  2. SlowMist - "On May 28, @Corkprotocol suffered an exploit, resulting in losses exceeding $12 million. According to @SlowMist_Team’s analysis, the root cause lies in two key issues." - Twitter/X (Accessed May 29, 2025)
  3. Exploit Analysis Cork Protocol Attacked, Over $10 Million Lost - Medium (Accessed May 29, 2025)
  4. Cork Protocol Homepage (Accessed May 29, 2025)
  5. What Is Cork - Cork Protocol Docs (Accessed May 29, 2025)
  6. Cork Protocol Exploit Transaction - Etherscan (Accessed May 29, 2025)
  7. Cork Protocol Exploiter - Etherscan (Accessed May 29, 2025)
  8. Ethereum Price History and Historical Data (Accessed Dec 21, 2021)
  9. wstETH Market Price - CoinMarketCap (Accessed May 29, 2025)
  10. Cork Protocol - Rekt (Accessed May 30, 2025)
  11. After the Post-Mortem - Rekt (Accessed Jul 3, 2025)
  12. Attacker Sends IDM "sherlock missed it. ct > ds. uniswap hook is not problem." - Etherscan (Accessed Jul 3, 2025)
  13. Attacker's Second Message In Estonian - Etherstan (Accessed Jul 3, 2025)
  14. Attacker's Third Message In Estonian - Etherstan (Accessed Jul 3, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Cork_Protocol_Market_Manipulation_and_Liquidity_Exploit&oldid=6915"