About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cork Exploit Post-Mortem- 1665

Cork ProtocolPosted 9 Months Ago
  • On March 4th 2025, Cork Protocol Beta was exploited for 3,761 wstETH. This article explains the exploit methods used in the real attack. The project had two audit contests from Sherlock and Cantina, two audits from Quantstamp and Spearbit, formal verification work done by Runtime Verification. It's interesting that this wasn't caught in earlier stages but it's hard to say whether this vulnerability was alive during the audits. The exploit contained two exploits to make his viable.
  • The first vulnerability was a rollover pricing issue. The Cover Token Extraction involves a pricing mechanism tied to automation to determine the price of the Cover Tokens/Depeg Swaps. The mechanism for price computing for risk premium trades on DS trades (buy and sell) is calculated based upon the trade amount and expiry. For instance, 0.02 with 1 year to expiry is a 2% risk premium. When the market progresses towards the expiration, it should gain in value. The shorter timeframe poses less possibilities for a disaster to strike.
  • The algorithm used to calculate this is (F/Pt)1^T, where T is time left. When the expiry time is very close to the end, this creates a crazy edge case. For instance, 0.02 price home hour before expiry creates a 17520% risk premium. This skyrocketed premium calculations at the end.
  • The exploiter purchased 2.5 DS with 19 minutes prior to the expiry which resulted in a 1779.7% risk premium. When this price rolled over to the next step, it was highly skewed. In particular, the exploiter converted 0.0000029 wstETH to 3760.8813 CT. This drained the entire supply of the Cover Tokens from the AMM.
  • The second vulnerability was a pretty deep access control issue. In UniswapV4, there are hooks that can be added to calls. The Cork hook functionality on the FlashSwapRouter contract contained an access control vulnerability. Although it contained some validation on the callback origins, it was bypassable via spoofing particular input parameters.
  • The Cork article says this was highly sophisticated; the Rekt.news article said it was pretty standard. I find it interesting that these vulnerabilities were missed. According to the rekt.news article, it was out of scope for some of the audits.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed