DeFi platform Cork loses $13.8M in wstETH; attacker uses malicious contract

Decentralised finance (DeFi) platform Cork Protocol has paused operations on one of its core trading markets after an apparent exploit drained thousands of wrapped staked Ethereum (wstETH) tokens.

Blockchain security firm SlowMist first flagged the incident on 28 May, citing a potential smart contract vulnerability that allowed an attacker to siphon 3,760 wstETH—valued at millions of dollars—from the protocol’s trading pools.

SlowMist

@SlowMist_Team

·Follow

🚨SlowMist Security Alert🚨 We detected potential suspicious activity related to @Corkprotocol. As always, stay vigilant!

6:05 pm · 28 May 2025

20

Reply

Copy link

Read 4 replies

Cork Protocol later confirmed the breach, categorising it as a “security incident” that impacted the wstETH:weTH market.

Cork Protocol

@Corkprotocol

·Follow

There was a security incident affecting the wstETH:weETH market at 11:23 UTC today. All other Cork markets have been paused as a precaution, and no other markets have been impacted. We are actively investigating the situation and will continue to provide updates as more details

6:51 pm · 28 May 2025

15

Reply

Copy link

Read 4 replies

While no other platform markets were reportedly affected, the protocol’s automated trading systems were paused as investigations began into the cause and scale of the exploit.

Malicious contract drained tokens in under 20 minutes

Preliminary analysis by Cyvers, a blockchain security firm, indicates the attacker used a malicious smart contract deployed via a wallet address funded by 0x4771…762B.

🚨 Cyvers Alerts 🚨

@CyversAlerts

·Follow

🚨ALERT🚨Our system has identified a $12M smart contract exploit, with @CorkProtocol potentially the victims. A malicious contract was deployed on May 28, 2025 at 11:23:19 UTC by an address funded by 0x4771…762B (likely a service provider). Just 16 minutes and 45 seconds

5:50 pm · 28 May 2025

35

Reply

Copy link

Read 3 replies

The origin of these funds is likely a service provider such as a decentralised exchange, DeFi bridge, or liquidity aggregator integrated with Cork Protocol.

The contract was executed just 16 minutes after funding. It successfully converted stolen wstETH into Ethereum, although the resulting ETH has not yet been moved to other wallets or exchanged for stablecoins.

The speed of the exploit suggests automated contract vulnerabilities rather than human operational error, and the attacker may have relied on known code libraries or proxy upgrade mechanisms to launch the attack.

Investigations ongoing, but broader implications loom

At the time of writing, Cork Protocol has not issued a timeline for reopening its paused contracts or restoring affected user balances.

Investigators are working to determine whether the flaw originated in Cork’s own codebase or through an integrated third-party application.

So far, no white-hat recovery attempts or on-chain communications from the attacker have been reported.

While no user funds in other markets have been reported lost, the incident puts pressure on DeFi protocols relying on wrapped token mechanisms.

The exploit also raises questions about the due diligence performed on smart contracts, especially those interacting with restaking tokens and derivatives in a high-risk environment.

The exploit is part of a broader trend in 2025 where attackers are targeting complex token infrastructures, particularly those tied to liquid staking.

These wrapped ecosystems, though essential to advanced DeFi activity, are increasingly becoming honeypots for vulnerabilities due to their reliance on multiple layers of smart contract infrastructure.

If future audits do not reveal and address the underlying vulnerability, similar incidents may continue across protocols offering depeg hedging products or other forms of token insurance.

The post DeFi platform Cork loses $13.8M in wstETH; attacker uses malicious contract appeared first on Invezz