Cork Protocol Faces $12M Exploit in Wrapped Ethereum Market

Highlights:

• Cork Protocol recently lost $12M worth of wstETH after a smart contract exploit.
• The attacker swapped stolen tokens for 4,530 ETH, held in one wallet.
• All contracts have been stopped as Cork examines what caused the breach.

Cork Protocol suffered an exploit on May 28, resulting in the theft of about $12 million worth of wstETH. More than 3,761 tokens were removed from the platform’s wstETH:weETH pool by a malicious smart contract in just under 17 minutes. Following the incident, Cork Protocol shut down its markets and started reviewing the attack to help prevent further losses.

The hackers targeted a problem with the internal exchange rate system used by the protocol. According to Cyvers and SlowMist, a contract deployed by the attacker was funded by an address connected to a third-party service. By defaulting some values in the exchange part of the protocol, the contract was used to empty the platform of its real assets.

ALERTOur system has identified a $12M smart contract exploit, with @CorkProtocol potentially the victims.

A malicious contract was deployed on May 28, 2025 at 11:23:19 UTC by an address funded by 0x4771…762B (likely a service provider).
Just 16 minutes and 45 seconds… pic.twitter.com/72ScizbJPZ

— Cyvers Alerts (@CyversAlerts) May 28, 2025

Shortly after being stolen, the hackers exchanged the wstETH tokens for roughly 4,530 ETH on a decentralized exchange. Unlike most cryptocurrency hacks, a single wallet held all the converted ETH, with no funds being moved to different wallets. Because of this odd behavior, many are debating how the attack was conducted.

Immediate Response and Investigation Measures

Following the threat, Cork Protocol suspended all contracts on the platform as part of its response. According to the co-founder, the team is looking into the exploit and noted that only the wstETH:weETH market suffered; other markets are unaffected. Engineers, joined by auditors and cybersecurity experts, are investigating what allowed the breach to take place.

We are investigating a potential exploit on @Corkprotocol and are pausing all contracts. We will report back with more information.

— Phil Fogel ( , , ) (@Philfog) May 28, 2025

In March 2025, the protocol was launched with the goal of offering risk management pegged assets using innovative Depeg Swap tokens. They provide users an opportunity to exchange the risks related to stablecoins and liquid staking tokens. Cork gained credibility as many reputable investors such as a16z Crypto, OrangeDAO and Steakhouse Financial, backed its activities.

Despite being audited four times prior, the vulnerability in the internal price oracle system did not come to light. This incident demonstrates that some advanced weaknesses in smart contracts are still hard to find, despite detailed checks. Researchers are asking whether audit procedures are still enough to stop advanced hacking attacks.

Impact on the DeFi Space and Market Data

This attack is happening at a time when there is a surge in attacks on decentralized finance platforms in 2025. Just before the attack, the protocol had safely locked over $23.8 million and reported trading more than $563 million of its risk-hedging tokens. According to data from Dune Analytics, the total value in the wstETH liquidity vault exceeded $1 billion in losses.

Cork Protocol’s unique market niche focuses on protecting assets exposed to depegging risks, a growing concern during market turbulence. Some trading pairs on the platform are wstETH to weETH, sUSDS to USDe, and sUSDe to USDT. The attack targeted the wstETH:weETH pool and all their smart contracts are currently stopped for user fund safety.

The incident shows why further improvements to security architecture in DeFi are necessary. Industry experts note that such breaches, though disruptive, often lead to stronger protocols and better risk management tools.