Cork Protocol Loses $12m to Flawed Token Redemption Logic → Security

A close-up view presents an intricate mechanical component, featuring polished silver and grey metallic elements, partially submerged in a luminous blue, viscous liquid topped with light blue foam. The liquid forms a radial, web-like pattern around a central circular bearing, integrating seamlessly with the metallic structure's spokes

$Two large, fractured pieces of a crystalline object are prominently displayed, one clear and one deep blue, resting on a white, snow-like terrain. The background is a soft, light blue, providing a minimalist and stark contrast to the central elements$

Briefing

The Cork Protocol, an on-chain insurance platform, suffered a $12 million exploit on May 28, 2025, due to critical vulnerabilities in its smart contract logic. This incident led to the unauthorized draining of 3,761 wstETH, subsequently converted to ETH, causing significant financial loss and a depeg event for the protocol’s tokenized risk products. The attacker leveraged flawed access controls and inadequate input validation during market creation to manipulate token redemption mechanisms. The total financial impact is estimated at $12 million, highlighting the severe consequences of unaddressed protocol logic flaws.

A spherical object, deep blue with swirling white patterns, is partially encased by a metallic silver, cage-like structure. This protective framework features both broad, smooth bands and intricate, perforated sections with rectangular openings

Context

Prior to this incident, the DeFi ecosystem consistently faced risks from unaudited or insufficiently audited smart contracts, particularly those with complex token interactions and permissionless market creation features. The prevailing attack surface included vulnerabilities in business logic, access controls, and input sanitization, which, if overlooked, could be exploited to manipulate protocol state and asset flows. This class of vulnerability often arises when protocols fail to implement rigorous validation checks on user-supplied data or internal function calls, creating avenues for adversarial manipulation.

A close-up view reveals a detailed blue technological structure with a central cluster of sharp, translucent blue crystalline formations. These crystals, resembling abstract data structures or solidified cryptographic keys, rise from a dark hexagonal base within a larger blue framework

Analysis

The Cork Protocol exploit originated from a critical flaw within its smart contract logic, specifically in how it handled market creation and token redemption. The attacker exploited inadequate access controls in the beforeSwap function and a lack of validation on user-provided callback data within the CorkCall function. This allowed the attacker to create a “fake market” where a legitimate market’s Depeg Swap (DS) token was set as the Redemption Asset (RA).

By manipulating this logic, the attacker tricked the protocol into splitting its own weETH8DS-2 tokens into fake DS and Cover Token (CT) tokens, which were then redeemed for real wstETH from the legitimate market. The initial acquisition of CT tokens via a flash swap from Uniswap further facilitated the attack, enabling the attacker to gain control and drain approximately $12 million in assets.

The image displays a close-up of complex metallic machinery, featuring cylindrical and rectangular components, partially encased by a textured, translucent blue material. The metallic elements exhibit a brushed finish, while the blue substance appears fluid-like with varying opacity, suggesting an internal system

Parameters

Protocol Targeted → Cork Protocol
Attack Vector → Smart Contract Logic Exploit (Flawed Access Controls, Input Validation, Business Logic)
Financial Impact → $12 Million (3,761 wstETH converted to 4,530 ETH)
Blockchain Affected → Ethereum
Date of Incident → May 28, 2025

A highly detailed mechanical assembly is presented, showcasing a blend of polished silver components and vibrant blue, intricate structures. The foreground features concentric silver rings leading to a central textured band, which precisely engages with spoked blue elements, each adorned with directional arrow indicators

Outlook

In the immediate aftermath, protocols with similar tokenized risk mechanisms or permissionless market creation features must undertake urgent and comprehensive security audits, focusing on robust input validation, access control mechanisms, and the integrity of their core business logic. This incident underscores the critical need for multi-layered security protocols and formal verification processes to prevent such exploits, especially in complex DeFi instruments. The broader implication is a reinforcement of the imperative for continuous security monitoring and a shift towards more conservative design patterns in DeFi to mitigate contagion risk across interdependent protocols.

A sleek, futuristic mechanism featuring interlocking white modular components on the left and a dark, intricately designed core illuminated by vibrant blue light on the right. A forceful, granular white explosion emanates from the center, creating a dynamic visual focal point

Verdict

The Cork Protocol exploit serves as a stark reminder that even innovative DeFi designs remain critically vulnerable to fundamental smart contract logic flaws, necessitating uncompromising audit rigor and defensive architectural principles.

Signal Acquired from → Halborn