Cork Protocol was attacked by hackers, resulting in losses exceeding 10 million USD.

On May 28th, a security incident targeting the Cork Protocol attracted industry attention. On that day at 11:23 UTC, the wstETH:weETH market of the Cork Protocol was attacked, resulting in a loss of over 12 million USD for the protocol.

After the incident, Cork Protocol quickly took action to suspend trading in all other markets to prevent further escalation of risks. The team is currently actively investigating the cause of the incident and is committed to providing ongoing updates on relevant progress.

Attack Reason Analysis

The fundamental reason for this attack lies in the two key vulnerabilities of the Cork Protocol:

1. Cork allows users to create redeemable assets using any asset through the CorkConfig contract (RA), which enables attackers to use DS (Depeg Swap) tokens as RA.

2. Any user can invoke the beforeSwap function of the CorkHook contract without authorization and pass in custom hook data to perform the CorkCall operation. This allows attackers to manipulate DS tokens in legitimate markets, deposit them into another market for use as RA, and obtain the corresponding DS and CT (Cover Token) tokens.

Attack Process

The main operational steps of the attacker are as follows:

1. Use wstETH to purchase weETH8CT-2 tokens on a legal market.

2. Create a new market, using a custom Exchange Rate provider, set weETH8DS-2 token as RA, wstETH as PA (Pegged Asset).

3. Add liquidity to new markets to initialize the corresponding liquidity pool in Uniswap v4.

4. Utilize the unlocking mechanism of the Uniswap V4 Pool Manager to call the beforeSwap function of CorkHook, passing in custom market and hook data.

5. By constructing hook data, transfer the legitimate weETH8DS-2 token from the market into the new market as RA, and obtain the corresponding CT and DS tokens from the new market.

6. Use the obtained CT and DS tokens to redeem RA tokens (i.e., weETH8DS-2 tokens) in the new market.

7. Match the weETH8DS-2 token with the previously purchased weETH8CT-2 token, and redeem wstETH tokens in the original market.

Capital Flow

According to the on-chain anti-money laundering and tracking tool MistTrack, the attacker’s address profited 3,761.878 wstETH, worth over 12 million USD. Subsequently, the attacker exchanged wstETH for 4,527 ETH through 8 transactions.

The attacker's initial funds came from a transfer of 4.861 ETH from a certain trading platform. As of now, a total of 4,530.5955 ETH remains in the attacker's address.

Security Recommendations

To prevent similar incidents from happening again, developers should:

1. Carefully verify whether each step of the protocol operation is within the expected range.
2. Strictly limit the types of assets in the market.
3. Strengthen the validation of user-input data to ensure it meets expectations.
4. Improve permission control for key operations.

This incident reminds us once again that in the DeFi space, security is always the top priority. Protocol developers need to continuously improve security measures, and users should also remain vigilant and pay attention to protecting their asset security.