Exploit Analysis | Cork Protocol Attacked, Over $10 Million Lost
Authors: Kong & Lisa
Editor: Liz
Background
On May 28, SlowMist detected potentially suspicious activity related to Cork Protocol and issued a security alert, advising users to stay vigilant and protect their accounts and assets.
Shortly afterward, Cork Protocol released an announcement:
Following the incident, the SlowMist security team promptly launched an investigation. The following is a detailed breakdown of the attack method and fund movement.
Preliminary Knowledge
Cork Protocol is a DeFi protocol that offers a product similar to Credit Default Swaps (CDS) in traditional finance — called Depeg Swaps — which allows users to hedge against the depegging risks of pegged assets such as stablecoins, liquid staking tokens (LSTs), and real-world assets (RWAs). Its core mechanism revolves around transferring the depeg risk of these assets to other market participants through derivatives, thereby reducing user risk and improving capital efficiency. Key concepts include:
RA (Redemption Asset):
The base asset used in Cork markets for redeeming or settling depeg events (e.g., ETH in the ETH::stETH market).
PA (Pegged Asset):
Assets subject to depegging risk, meant to stay pegged to the RA in price but may deviate due to market volatility or protocol issues (e.g., stETH in the ETH::stETH market).
DS (Depeg Swap):
The core derivative issued by Cork Protocol to hedge against depegging risk, functionally similar to CDS. Users can purchase these tokens to mitigate exposure to depegging.
CT (Cover Token):
A derivative paired with DS that represents the risk-bearing side. Similar to a CDS seller, the holder earns yield but bears losses if a depeg event occurs.
Exchange Rate:
A key parameter measuring the value ratio between PA and RA, which directly affects the determination of depeg events and the settlement logic of derivatives. Cork Protocol allows users to create markets using custom Exchange Rate Providers.
Cork Vault:
An automated liquidity management mechanism across different maturities that improves capital efficiency.
Peg Stability Module (PSM):
Handles the minting and burning of DS and CT, sets market terms, and dynamically adjusts pricing via an AMM. It supports the following exchanges:
PA + DS = RA
CT + DS = RARoot Cause
The root cause of the attack lies in two issues. First, Cork allows users to create markets with arbitrary redemption assets (RA) through the CorkConfig contract, which enabled the attacker to set DS as the RA. Second, any user can call the CorkHook contract’s beforeSwap function without authorization and pass in custom hook data for CorkCall operations. This allowed the attacker to manipulate the protocol by depositing valid DS tokens from a legitimate market into a new market as RA, in return for the corresponding DS and CT tokens.
Attack Analysis
The attacker first purchased weETH8CT-2 tokens in a legitimate market using wstETH, so that they could later combine them with DS tokens to redeem wstETH as RA.
Then, the attacker created a new market using a custom Exchange Rate Provider, with the weETH8DS-2 token as RA and wstETH as PA. The key token configuration for the new market was:
RA: weETH8DS-2
PA: wstETH
CT: wstETH5CT-3
DS: wstETH5DS-3Meanwhile, the weETH8DS-2 token came from another market with the following configuration:
RA: wstETH
PA: weETH
CT: weETH8CT-2
DS: weETH8DS-2After creating the new market, the attacker added some liquidity to initialize the corresponding pool in Uniswap v4, enabling CorkHook to later perform beforeSwap operations in this pool.
Critically, when the Uniswap V4 Pool Manager is in an unlocked state, anyone can call CorkHook’s beforeSwap function with arbitrary parameters and operate on market liquidity. The attacker exploited the Pool Manager’s unlockCallback feature to invoke beforeSwap with their custom market and hook data.
The beforeSwap function then triggered CorkCall in the legitimate market using the provided hook data:
CorkCall trusted the data passed from the upper-layer, legitimate CorkHook and executed it directly:
This allowed the attacker to transfer a specified amount of weETH8DS-2 tokens from the legitimate market into their custom market as RA and receive the new market’s CT and DS tokens in return.
Leveraging the PSM mechanism, the attacker used the newly obtained CT and DS tokens to redeem RA tokens — i.e., weETH8DS-2 — from the new market.
After obtaining the weETH8DS-2 tokens, the attacker matched them with the previously acquired weETH8CT-2 tokens in the original market to redeem wstETH as RA.
In short, the attacker exploited the lack of restrictions on RA types and the protocol’s failure to validate the caller and input data for CorkHook.beforeSwap. This enabled them to transfer DS liquidity from a legitimate market into a new market as RA and redeem it, effectively draining liquidity from the original market.
MistTrack Analysis
According to the on-chain AML and fund tracing tool MistTrack, the attacker’s address (0xea6f30e360192bae715599e15e2f765b49e4da98) profited 3,761.878 wstETH, valued at over $12 million.
The attacker then converted the wstETH into 4,527 ETH through eight transactions:
Additionally, the initial funding came from a 4.861 ETH deposit from Swapuz.com.
As of now, a total of 4,530.5955 ETH remains in the attacker’s address. We will continue to monitor the movement of these funds.
Summary
The fundamental cause of this exploit lies in the protocol’s failure to strictly validate user-supplied data, allowing liquidity to be manipulated and moved into unintended markets, which the attacker then abused for unauthorized redemption and profit. The SlowMist security team advises protocol developers to carefully verify each step in the logic path and strictly restrict asset types in market creation.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
