Cork Protocol Hack 2025 — $12M Exploit Analysis

Fake market creation and double-counting exploit drained 3,761 wstETH from vaults

Details

Full Description

On May 28, 2025, Cork Protocol suffered a ~$12M security breach. The attacker exploited two issues: first, Cork allowed users to create markets with arbitrary redemption assets, enabling the attacker to set DS as the RA. Second, any user could call CorkHook's beforeSwap function without authorization and pass custom hook data. The attacker purchased weETH8CT-2 tokens in a legitimate market, set up a fake market with weETH8DS-2 as RA, then used malicious hook data to trick CorkCall into executing arbitrary logic. This allowed them to transfer DS liquidity from the legitimate market into the fake market as RA and redeem it, effectively draining 3,761 wstETH from the original market.

Laundering Analysis

The attacker converted the stolen 3,761 wstETH into 4,527 ETH through eight transactions. The initial funding came from a 4.861 ETH deposit from Swapuz.com. As of the report, 4,530.5955 ETH remained in the attacker's address. The funds have not been moved through mixers and remain consolidated in a single attacker wallet, making recovery possible if law enforcement acts.

Sources

Related Hacks

Back to Browse