In May 2025, Cork Protocol, a protocol designed to hedge against the risks associated with depegging, was the victim of a $12 million hack. The attacker tricked the protocol’s smart contracts into accepting fake tokens and exploiting vulnerabilities in its rate calculations.
Inside the Attack
Cork markets work with a few different types of tokens. There is a redemption asset (RA), which is the target value for a pegged asset (PA) similar to how USDC is pegged to the US dollar. Additionally, Cork defines a depeg swap (DS) that users buy when protecting their PA against depegging and a covered token (CS) for users to bet against depegging by selling their DS.
The Cork attack involved two markets, a real and a fake one, with tokens as defined in the table below:
| Real | Fake |
RA | wstETH | weETH8DS-2 |
PA | weETH | wstETH |
DS | weETH8DS-2 | fake_DS |
CT | weETH8CT-2 | fake_CT |
Note that the DS from the real market is set as the RA of the fake market. This shouldn’t have been permitted and is the basis for the attack.
The attack began by buying weETH8CT-2 from the legitimate market. These are needed for the last stage of the attack.
Then, the attacker exploited the fact that the beforeSwap function in the CorkHook function lacks proper access controls. Using it, the attacker sent custom hook data to the CorkCall function that forced it to split its own weETH8DS-2 tokens into fake_DS and fake_CT. This is possible since weETH8DS-2 is the RA for the fake market, and the function believed that the tokens belonged to the attacker.
As a result, the fake_DS and fake_CT tokens were transferred to the attacker. Under the rules of the Cork markets, a DS and CT token can be redeemed for an RA token. Using the fake market, the attacker took the fake_DS and fake_CT tokens sent to them and converted them to weETH8DS-2.
After this step, the attacker has the DS and CT tokens from the real market. Redeeming these for the RA allowed the attacker to drain 3,761 wstETH from the contract, which they converted to $12 million in ETH.
Lessons Learned from the Attack
The Cork Protocol hack was made possible by flawed access controls, input sanitization, and business logic. The attacker was permitted to create a market that set another market’s DS as its RA and tricked the smart contract into splitting assets and handing them over to the attacker.
Testing business logic and common smart contract vulnerabilities, like access control and input validation, is an essential component of a smart contract audit. For help in protecting your protocol against similar errors, reach out to Halborn.