defirisk.co
rubric v1.7.0

Cork Protocol: Fake token injection → exchange rate manipulation via unvalidated CorkHook input

Cork Protocol, a depeg insurance product, lost $12M when an attacker injected fake tokens into its unvalidated exchange rate calculation, turning the protocol's own market creation feature against itself.

Occurred 2025-05-28 Loss $12M Status closed

Summary #

Cork Protocol suffered a Depeg Insurance / Structured Products on 2025-05-28, resulting in a loss of approximately $12M.

What happened #

Cork Protocol, a depeg insurance product, lost $12M when an attacker injected fake tokens into its unvalidated exchange rate calculation, turning the protocol's own market creation feature against itself.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: NO** — CorkHook contract was explicitly out of scope for at least Sherlock, Runtime Verification, and Quantstamp. Sherlock confirmed: "The e...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: NO** — CorkHook contract was explicitly out of scope for at least Sherlock, Runtime Verification, and Quantstamp. Sherlock confirmed: "The e...] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (CorkHook was out of scope for all known auditors)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — CorkHook appears to have been a core component not covered by audits rather than a new deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — CorkHook appears to have been a core component not covered by audits rather than a new deployment]
  • RD-F-046 — related : ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
  • RD-F-072 — causal : Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker address funded via Swapuz (service provider); malicious contract deployed shortly before exploit. No liquidity exit signals reporte...]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — CorkHook appears to have been a core component not covered by audits rather than a new deployment]