Cork Protocol Exploit: How a Critical Flaw Led to a $12M Loss
On May 28, 2025, a sophisticated exploit shook the Cork Protocol — a decentralized insurance platform designed to tokenize risks associated with depegging events of stablecoins, liquid staking, and restaking assets. The outcome? A staggering $12 million loss, caused by a critical vulnerability within its smart contract logic.
But what really happened? And how could a platform built for managing risk fall victim to a fundamental lapse in security?
What is Cork Protocol?
Cork operates through a mechanism called the Peg Stability Module (PSM), which involves multiple token types:
- Redemption Asset (RA) — the base asset (e.g., ETH)
- Pegged Asset (PA) — the asset pegged to the base (e.g., stETH)
- Depeg Swaps (DS) — similar to put options, hedge against price declines
- Cover Tokens (CT) — akin to call options, earn yield unless a depeg occurs
When a user deposits an RA, Cork mints DS and CT tokens, which can be traded or redeemed under specific conditions. It’s a complex but clever mechanism — that is, until it’s manipulated.
The Exploit in Action
The attacker took advantage of a dangerous oversight: the protocol lacked validation for key parameters, especially within a function known as CorkCall. This allowed them to use legitimate tokens from one market and inject them into a maliciously crafted fake market.
By cleverly creating a new fake market and setting their contract as the Exchange Rate Provider, the attacker was able to mint fake DS and CT tokens. These were then used to withdraw real Redemption Assets (RA), which were later swapped for over 4500 ETH.
The trick? A single token — weETH8DS-2 — was used as both a legitimate asset in the real market and a decoy RA in the fake market. Because the protocol didn’t cross-verify token origins across markets, the attacker slipped through unnoticed.
Root Cause
The entire exploit hinged on missing validations:
- No check on whether the DS token used as RA was already in use elsewhere.
CorkCalltrusted user-supplied callback data without proper verification.- The protocol allowed permissionless market creation without guardrails.
Even though Cork underwent multiple audits and contests, this logic-level vulnerability was missed — highlighting the need for deeper, scenario-driven testing.
Could This Have Been Prevented?
Absolutely. With better checks on token reusability, validated callback data, and stricter controls around market creation, the exploit could have been thwarted. Complex DeFi protocols like Cork demand multi-layered audits that go beyond surface-level code review.
Don’t Let Your Protocol Be the Next Headline
If you’re building in DeFi, don’t assume audits are just a checkbox. At QuillAudits, we specialize in catching logic flaws before attackers do. Our audits cover edge cases others miss, ensuring your protocol is battle-tested from every angle.
🔍 Curious to see the full technical breakdown of the Cork exploit?
Read our in-depth blog for the complete hack analysis
