Analysis of the Cork Protocol Hacking Incident: Losses Exceed 10 Million USD

On May 28th, a security incident targeting the Cork Protocol garnered widespread attention. After the incident, the security team quickly intervened to analyze the situation, and the following is a detailed analysis of the attack methods and the fund transfer paths.

Background Overview

Cork Protocol is a tool that provides Depeg swap functionality for the DeFi ecosystem, used to hedge against the de-pegging risks of stablecoins, liquid staking tokens, and other assets. This protocol allows users to transfer price volatility risks to market participants through trading risk derivatives, thereby reducing risk and enhancing capital efficiency.

Attack Cause Analysis

The fundamental reasons for this attack are primarily twofold:

1. Cork allows users to create redemption assets with any asset through the CorkConfig contract (RA), enabling attackers to use DS as RA.

2. Any user can call the beforeSwap function of the CorkHook contract without authorization and allow the input of custom hook data for CorkCall operations. This enables attackers to manipulate DS in legitimate markets, deposit it into another market for use as RA, and obtain the corresponding DS and CT tokens.

Detailed Explanation of the Attack Process

1. The attacker first uses wstETH to purchase weETH8CT-2 tokens on the legitimate market.

2. Create a new market using a custom Exchange Rate provider, with weETH8DS-2 token as RA and wstETH as PA.

3. Add liquidity to new markets so that the protocol can initialize the corresponding liquidity pool in Uniswap v4.

4. Use the unlockCallback function of the Uniswap V4 Pool Manager when unlocking, call the beforeSwap function of CorkHook, and pass in custom market and hook data.

5. By constructing hook data, transfer the weETH8DS-2 token from the legitimate market to the new market as RA, and obtain the corresponding CT and DS tokens from the new market.

6. Redeem RA tokens (weETH8DS-2) in the new market using the obtained CT and DS tokens.

7. Match the weETH8DS-2 token with the previously purchased weETH8CT-2 token, and redeem wstETH tokens in the original market.

Capital Flow Analysis

According to the analysis of on-chain anti-money laundering and tracking tools, the attacker profited 3,761.878 wstETH, worth over $12 million. Subsequently, the attacker exchanged wstETH for 4,527 ETH through 8 transactions. The attacker’s initial funds came from a transfer of 4.861 ETH from a certain trading platform.

As of the analysis, there are a total of 4,530.5955 ETH remaining in the attacker's address. Relevant authorities will continue to monitor the funds.

Security Suggestions

This attack exposed vulnerabilities in the protocol regarding data validation and asset type restrictions. Developers should consider the following when designing smart contracts:

1. Strictly verify that the data provided by the user meets expectations.
2. Restrict the types of assets available in the market.
3. Perform multiple verifications and authorization checks for key operations.
4. Conduct regular security audits to promptly identify and fix potential vulnerabilities.

The complexity of DeFi projects requires development teams to remain highly vigilant during the design and implementation process, continuously improving security measures to prevent similar attacks. Users should also enhance their risk awareness, participate cautiously in emerging DeFi projects, and always pay attention to the security announcements released by the project team.