On May 28, 2025, decentralized insurance platform Cork Protocol fell victim to a sophisticated smart contract exploit that resulted in the loss of approximately 3,762 wstETH — valued at roughly $12 million at the time of the attack. The breach, detected by multiple blockchain security firms including SlowMist, Cyvers, Blockaid, Hacken, and Lookonchain, unfolded in under 17 minutes and exposed a critical logic flaw that multiple prior audits had failed to catch.
The Exploit Mechanics
Cork Protocol operates a Peg Stability Module (PSM) that allows users to hedge against the depegging of wrapped tokens such as wstETH and weETH. Users deposit a Redemption Asset (RA), and the protocol mints Depeg Swaps (DS) and Cover Tokens (CT) — instruments that function similarly to put and call options within the DeFi ecosystem.
The attacker exploited a missing validation within a function known as CorkCall. This function accepted user-supplied callback data without verifying its origin or integrity. By creating a new, malicious market and setting their own contract as the Exchange Rate Provider, the attacker was able to mint fraudulent DS and CT tokens. These fake tokens were then used to withdraw legitimate Redemption Assets from the protocol’s real market.
The key trick involved a single token — weETH8DS-2 — which served dual roles: as a legitimate asset in the real Cork market and as a decoy Redemption Asset in the attacker’s fake market. Because the protocol did not cross-verify token origins across different markets, the exploit went completely undetected during execution.
Once the attacker successfully drained the wstETH, they quickly swapped it for approximately 4,530 ETH. At the time of the attack, ETH was trading around $2,682, making the total haul approximately $12 million. The stolen ETH remained in the attacker’s wallet and had not yet been moved to mixing services or other wallets at the time of reporting.
Affected Systems
Cork Protocol confirmed that only the wstETH-to-weETH market was affected. The platform’s other markets — including wETH-to-wstETH, sUSDS-to-USDe, and sUSDe-to-USDT — remained untouched. Upon detecting the exploit, the Cork Protocol team immediately paused all smart contracts and issued a public statement acknowledging the security incident.
The attack was funded through an address (0x4771…762B) that blockchain analytics firm Cyvers believes likely belongs to a service provider — potentially a DeFi protocol, exchange, or bridge that Cork Protocol was using. This detail raises additional concerns about the supply chain security of interconnected DeFi platforms, where a compromised service provider can become an attack vector.
This incident occurred against the backdrop of a devastating month for DeFi security. Just days earlier, on May 22, Cetus Protocol on the Sui blockchain suffered a $223 million hack — the second-largest crypto heist of 2025 after the $1.5 billion Bybit breach. May 2025 saw approximately $275.9 million lost across eight incidents, with zero funds recovered at the time of reporting.
The Mitigation Strategy
Cork Protocol’s immediate response — pausing all contracts — was a textbook damage-containment move that prevented further losses. The team stated they were actively investigating the incident and would provide updates as more information became available.
However, the deeper mitigation requires addressing the root cause: missing parameter validations in the CorkCall function and the absence of cross-market token verification. According to the post-mortem analysis by QuillAudits, the exploit could have been prevented with three specific safeguards:
- Token reusability checks: The protocol should have verified that DS tokens used as Redemption Assets were not already in use in other markets.
- Validated callback data: CorkCall should not have trusted user-supplied callback data without proper verification of its origin and integrity.
- Stricter market creation controls: Permissionless market creation without guardrails allowed the attacker to create a fake market designed specifically to exploit the validation gap.
The fact that Cork Protocol had undergone multiple audits before the exploit highlights a persistent challenge in DeFi security: traditional audits often focus on surface-level code correctness but may miss complex logic vulnerabilities that emerge from the interaction of multiple protocol components.
Lessons Learned
The Cork Protocol exploit underscores several critical lessons for the DeFi ecosystem. First, logic-level vulnerabilities are fundamentally different from standard coding bugs. They emerge from the design and interaction of protocol mechanisms rather than from implementation errors, making them harder to detect through conventional auditing approaches.
Second, cross-market validation is essential for any protocol that supports multiple trading pairs or markets. When tokens can serve multiple roles across different contexts, the protocol must enforce strict boundaries to prevent manipulation.
Third, the speed of execution in this attack — just 16 minutes from deployment to completion — demonstrates that real-time monitoring systems need to be faster and more sophisticated. While security firms like SlowMist and Cyvers did detect the anomaly, the response was not quick enough to prevent the theft.
Finally, the Cork Protocol incident serves as a stark reminder that audits are not a guarantee of security. Even protocols that have undergone multiple professional audits can harbor critical vulnerabilities. Users should always exercise caution and avoid concentrating too much capital in any single DeFi platform.
User Action Required
If you had funds deposited in Cork Protocol’s wstETH-to-weETH market, you should monitor the protocol’s official communication channels for updates on the investigation and any potential recovery plans. Do not interact with any contracts claiming to be “refund” or “recovery” mechanisms unless they are explicitly announced through Cork Protocol’s verified channels. As always, verify contract addresses independently before signing any transactions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
Hardware wallet adoption is the single biggest security improvement anyone can make
Bridge security is still the weakest link in the ecosystem
SmartContractDev bridge security matters but this was a logic flaw not a bridge exploit. the attack stayed within one protocol using fake markets
Social engineering attacks are becoming more sophisticated
The amount of DeFi exploits is still way too high
3,762 wstETH stolen through a fake market with a self-set price feed. the CorkCall design was basically asking attackers to try. unvalidated callbacks in a DeFi protocol is asking for it
3,762 wstETH gone in 17 minutes. the CorkCall function accepting unvalidated callback data is audit 101 level failure
audit 101 is right. accepting user-supplied callback data without origin checks is day one stuff. the fact that multiple firms signed off on this is embarrassing
0xAuditFail multiple firms signed off and none caught unvalidated callback data. at some point you have to question whether the audit industry is actually adding security or just legal cover
multiple audits missed the cross-market validation gap. audits are necessary but clearly not sufficient. the weETH8DS dual-role trick was clever
the weETH8DS dual-role trick was clever social engineering of the protocol itself. created a fake market, set their own price feed, then exploited the lack of validation. inside job energy
SlowMist detected it in 17 minutes but the funds were already moving. 5 security firms flagged it and the exploit was still done by then. response time is meaningless when the tx is atomic
defi_post_mortem 5 firms flagged it in 17 min but the tx was atomic. detection speed means nothing when the exploit is a single block. prevention has to happen before deployment