Recently, the Cork Protocol on the Ether blockchain was attacked, with the attacker profiting 12 million dollars through a logical vulnerability in the project contract (unverified key parameters). This article provides a detailed analysis and fund tracking of this attack incident.
Written by: Beosin
Recently, the Cork Protocol on the Ether blockchain was attacked, with the attacker profiting 12 million dollars through a logical vulnerability in the project's contract (unverified key parameters). The Beosin security team conducted a detailed analysis and fund tracking of this attack incident and shared the results as follows:
Detailed Attack Steps
Before analyzing the attack, we need to understand the special business logic of the Cork Protocol. It introduces a mechanism similar to traditional finance's credit default swaps (called Depeg Swap), which tokenizes the depegging risk of anchor assets (such as stETH), allowing users to hedge or trade the depegging risk of the anchor assets. The token types include:
Redemption Asset (RA): Underlying asset (such as Ether)
Pegged Asset (PA): An asset that is pegged to an underlying asset (e.g., stETH)
Depeg Swaps (DS): Similar to put options, hedging against price declines.
Cover Token (, CT) — Similar to a call option, it can earn profits if no de-pegging occurs; if de-pegging happens, losses must be borne.
When users deposit RA, the Cork Protocol mints DS and CT tokens, which users can trade or redeem to stake or hedge risks.
This attack involves the real token market and the fake market constructed by the attacker:
(1) attackers first created a fake marketplace where the RA is the weETH8DS-2 token and the PA is wstETH. It can be noted that weETH8DS-2 can be used as an RA in the fake market instead as a DS in the real market, which should have been banned by cross-market token checking.
(2) The attacker purchased weETH8CT-2 from the real market.
(3) attacker exploited the lack of proper access control of the beforeSwap function in the CorkHook function to send custom Hook data to the CorkCall function, forcing it to split its weETH8DS-2 into fake_DS and fake_CT. This is possible because weETH8DS-2 is the RA of the fake market, and the function considers fake_DS and fake_CT to belong to the attackers.
After (4) fake_DS and fake_CT tokens are transferred to the attackers, according to Cork Protocol's rules: DS and CT tokens can be exchanged for RA tokens. The attacker exchanged the received fake_DS and fake_CT tokens for weETH8DS-2 through the virtual marketplace.
(5) Currently, the attacker possesses weETH8CT-2 purchased from step 2 and the reassembled weETH8DS-2, which can be exchanged for RA (i.e., wstETH) from the real market.
As a result, the attacker can transfer the real market's DS liquidity to another market (the constructed false market) for redemption as RA, thereby extracting the liquidity of RA in the real market. The attacker stole 3761 wstETH in this incident and exchanged it for ETH worth approximately 12 million US dollars.
Vulnerability Analysis
Through the above attack process, we can see that the reasons for the exploitation of vulnerabilities in the entire event can be summarized into the following three points:
Lack of verification: There was no check to see if the DS used as RA has been utilized in other markets.
CorkCall callback data provided by trusted users without proper verification.
The protocol allows the creation of permissionless, unrestricted markets.
Although the Cork Protocol has undergone multiple security audits and audit competitions, this logical layer vulnerability was still overlooked. If stricter checks on token reusability, rigorous validation of callback data, and tighter controls on market creation were implemented, this attack could have been avoided.
Stolen Fund Tracking
Beosin Trace tracked the stolen funds and found that the attacker's address 0xea6f30e360192bae715599e15e2f765b49e4da98 gained approximately 3761 wstETH, which was then exchanged for ETH through DeFi protocols such as Uniswap and 1inch, totaling 4530.6.
The stolen funds have not been transferred yet. Beosin Trace has added the hacker-related addresses to the blacklist and will continue to track them.
According to Beosin Trace analysis, all the stolen funds are still held at the attacker's address.
Summary
At the heart of the attack was a core business logic vulnerability in Cork Protocol, which led to the attacker stealing a large amount of wstETH through fake tokens. Complex DeFi protocols like Cork Protocol require detailed testing and review of the business logic of the contract through multi-faceted and multi-layered security audits. Previously, the Beosin security team has completed security audits of multiple DeFi protocols (e.g., Surf Protocol, SyncSwap, LeverFi, Owlto Finance), focusing on finding contract logic flaws and edge cases that may be overlooked, ensuring that the protocol is fully tested.
View Original
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
Vulnerability Analysis | Analysis and Fund Tracking of the 12 Million Dollar Theft Incident of the Pegged Asset Protocol Cork Protocol
Written by: Beosin
Recently, the Cork Protocol on the Ether blockchain was attacked, with the attacker profiting 12 million dollars through a logical vulnerability in the project's contract (unverified key parameters). The Beosin security team conducted a detailed analysis and fund tracking of this attack incident and shared the results as follows:
Detailed Attack Steps
Before analyzing the attack, we need to understand the special business logic of the Cork Protocol. It introduces a mechanism similar to traditional finance's credit default swaps (called Depeg Swap), which tokenizes the depegging risk of anchor assets (such as stETH), allowing users to hedge or trade the depegging risk of the anchor assets. The token types include:
Redemption Asset (RA): Underlying asset (such as Ether)
Pegged Asset (PA): An asset that is pegged to an underlying asset (e.g., stETH)
Depeg Swaps (DS): Similar to put options, hedging against price declines.
Cover Token (, CT) — Similar to a call option, it can earn profits if no de-pegging occurs; if de-pegging happens, losses must be borne.
When users deposit RA, the Cork Protocol mints DS and CT tokens, which users can trade or redeem to stake or hedge risks.
This attack involves the real token market and the fake market constructed by the attacker:
(1) attackers first created a fake marketplace where the RA is the weETH8DS-2 token and the PA is wstETH. It can be noted that weETH8DS-2 can be used as an RA in the fake market instead as a DS in the real market, which should have been banned by cross-market token checking.
(2) The attacker purchased weETH8CT-2 from the real market.
(3) attacker exploited the lack of proper access control of the beforeSwap function in the CorkHook function to send custom Hook data to the CorkCall function, forcing it to split its weETH8DS-2 into fake_DS and fake_CT. This is possible because weETH8DS-2 is the RA of the fake market, and the function considers fake_DS and fake_CT to belong to the attackers.
After (4) fake_DS and fake_CT tokens are transferred to the attackers, according to Cork Protocol's rules: DS and CT tokens can be exchanged for RA tokens. The attacker exchanged the received fake_DS and fake_CT tokens for weETH8DS-2 through the virtual marketplace.
(5) Currently, the attacker possesses weETH8CT-2 purchased from step 2 and the reassembled weETH8DS-2, which can be exchanged for RA (i.e., wstETH) from the real market.
As a result, the attacker can transfer the real market's DS liquidity to another market (the constructed false market) for redemption as RA, thereby extracting the liquidity of RA in the real market. The attacker stole 3761 wstETH in this incident and exchanged it for ETH worth approximately 12 million US dollars.
Vulnerability Analysis
Through the above attack process, we can see that the reasons for the exploitation of vulnerabilities in the entire event can be summarized into the following three points:
Lack of verification: There was no check to see if the DS used as RA has been utilized in other markets.
CorkCall callback data provided by trusted users without proper verification.
The protocol allows the creation of permissionless, unrestricted markets.
Although the Cork Protocol has undergone multiple security audits and audit competitions, this logical layer vulnerability was still overlooked. If stricter checks on token reusability, rigorous validation of callback data, and tighter controls on market creation were implemented, this attack could have been avoided.
Stolen Fund Tracking
Beosin Trace tracked the stolen funds and found that the attacker's address 0xea6f30e360192bae715599e15e2f765b49e4da98 gained approximately 3761 wstETH, which was then exchanged for ETH through DeFi protocols such as Uniswap and 1inch, totaling 4530.6.
The stolen funds have not been transferred yet. Beosin Trace has added the hacker-related addresses to the blacklist and will continue to track them.
According to Beosin Trace analysis, all the stolen funds are still held at the attacker's address.
Summary
At the heart of the attack was a core business logic vulnerability in Cork Protocol, which led to the attacker stealing a large amount of wstETH through fake tokens. Complex DeFi protocols like Cork Protocol require detailed testing and review of the business logic of the contract through multi-faceted and multi-layered security audits. Previously, the Beosin security team has completed security audits of multiple DeFi protocols (e.g., Surf Protocol, SyncSwap, LeverFi, Owlto Finance), focusing on finding contract logic flaws and edge cases that may be overlooked, ensuring that the protocol is fully tested.