Cork Protocol Hack

On May 28, 2025, at 11:39 UTC, Cork Protocol—an on-chain insurance platform tokenizing depeg risks for stablecoins, LSTs, and RWAs via Depeg Swaps (DS) and Cover Tokens (CT) in Peg Stability Modules (PSM)—lost $12M (3,761 wstETH swapped to 4,530 ETH) when an attacker (0xea6f30e360192bae715599e15e2f765b49e4da98, funded via Swapuz.com) exploited unchecked callback data in CorkCall and permissive market creation allowing DS (weETH8DS-2) from the legitimate wstETH:weETH PSM as RA in a fake PSM (RA: weETH8DS-2, PA: wstETH). After flash-swapping 3,761 weETH8CT-2, deploying a malicious Exchange Rate Provider (0x9af3dce0813fd7428c47f57a39da2f6dd7c9bb09), initializing a Uniswap v4 pool, and invoking beforeSwap via PoolManager’s unlockCallback with custom hook data, the attacker triggered CorkCall in the real PSM (0x55b90b37416dc0bd936045a8110d1af3b6bf0fc3) to deposit DS as RA into the fake PSM, minting/burning fake CT/DS (wstETH5CT-3, wstETH5DS-3) to extract DS, then redeeming with CT for wstETH in the original PSM—effectively draining liquidity without economic justification. SlowMist and Cyvers flagged the attack (tx: 0xfd89cdd0be468a564dd525b222b728386d7c6780cf7b2f90d2b54493be09f64d); Cork paused markets, pledged redeployment and full restoration (as per co-founder Phil Fogel), and initiated investigations amid community support. This vulnerability—despite audits and contests—exposes DeFi’s pitfalls in composability: over-trusting caller data in hooks, lacking RA type restrictions, and inadequate edge-case validation in permissionless systems, urging invariant checks, granular access controls, and simulation of adversarial market creations to safeguard against such $12M manipulations.