Analysis of the Cork Protocol Hack: Losses Exceed 10 Million USD

On May 28th, a security incident targeting the Cork Protocol drew widespread attention in the industry. After the incident occurred, Cork Protocol quickly took action, suspending all market transactions to prevent further risk expansion. The security team immediately launched an investigation, and here is a detailed analysis of the attack.

Event Background

Cork Protocol is a tool that provides depeg swap functionality for the DeFi ecosystem, aimed at hedging the depegging risks of pegged assets such as stablecoins, liquid staking tokens, and RWAs. Its core mechanism allows users to transfer price volatility risks to market participants through trading risk derivatives, thereby reducing risks and enhancing capital efficiency.

Reason for Attack

There are two fundamental reasons for this attack:

1. Cork allows users to create redemption assets using any asset through the CorkConfig contract (RA), enabling attackers to use DS as RA.

2. Any user can call the beforeSwap function of the CorkHook contract without authorization and allow custom hook data to be passed in for CorkCall operations. This enables attackers to manipulate DS in legitimate markets, deposit it into another market as RA, and obtain the corresponding DS and CT tokens.

Attack Process

1. The attacker first purchases weETH8CT-2 tokens with wstETH on the legitimate market.

2. The attacker created a new market, using a custom Exchange Rate provider, with weETH8DS-2 tokens as RA and wstETH as PA.

3. The attacker adds liquidity to the new market, enabling the protocol to initialize the corresponding liquidity pool in Uniswap v4.

4. By utilizing the unlockCallback function during the unlocking of the Uniswap V4 Pool Manager, the attacker calls the beforeSwap function of CorkHook and passes in custom market and hook data.

5. The CorkCall function trusts the data passed in by the legitimate CorkHook from the upper layer and executes it directly, allowing attackers to transfer the legitimate weETH8DS-2 tokens from the market into the new market as RA, and obtain the corresponding CT and DS tokens from the new market.

6. The attacker redeems RA tokens (i.e., weETH8DS-2 tokens) in the new market using the acquired CT and DS tokens.

7. Finally, the attacker will match the weETH8DS-2 token with the previously purchased weETH8CT-2 token to redeem wstETH tokens in the original market.

Consequences of the Attack

According to the analysis by the on-chain anti-money laundering and tracking tool MistTrack, the attacker’s address profited 3,761.878 wstETH, worth over $12 million. The attacker then exchanged wstETH for 4,527 ETH through 8 transactions.

As of the analysis, there are a total of 4,530.5955 ETH remaining at the attacker's address. The security team will continue to monitor the flow of funds.

Security Recommendations

To prevent similar incidents from happening again, developers should pay attention to the following points when designing protocols:

1. Carefully verify whether each operation of the protocol is as expected.
2. Strictly limit the types of assets in the market.
3. Strengthen the validation of user-provided data to ensure it meets expectations.
4. Conduct regular security audits to timely identify and fix potential vulnerabilities.

This incident once again highlights the importance of security design in DeFi protocols. As the DeFi ecosystem continues to develop, both developers and users need to enhance their security awareness and work together to maintain a healthy and stable ecological environment.