Cork Protocol Depeg Swap Hook

On May 28, 2025 at 11:39 UTC, the a16z-backed depeg-insurance protocol Cork Protocol was drained of 3,761 wstETH — approximately $12 million at the time — through a sophisticated exploit that abused Cork's market-creation logic combined with a malicious Uniswap v4 hook. The drain executed in 16 minutes.

What happened

Cork Protocol let users hedge against asset depeg risk. The mechanism:

• PA (Pegged Asset) — what users wanted to protect (e.g., wstETH).
• RA (Reserve Asset) — what the PA was supposed to be pegged to.
• DS (Depeg Swap) — a token users bought to insure against PA depegging.
• CS (Covered Swap) — a token users sold to bet against depegging.

Cork's market-creation function let any user permissionlessly create new markets by specifying the PA and RA. The fatal flaw: the function did not validate that the RA was a legitimate underlying asset — specifically, it did not check that an RA wasn't already itself the DS of another existing market.

The attack:

1. Created a new market with the attacker's chosen PA and an RA that pointed to the DS of an existing legitimate market.
2. Deployed a malicious Uniswap v4 hook designed to bypass authorisation checks in Cork's CorkHook and FlashSwapRouter contracts.
3. Exploited Cork's rollover-pricing logic shortly before the legitimate market's expiry — manipulating an input that influenced how the protocol valued the depeg/cover positions during rollover.
4. The malicious hook bypassed the authorisation checks in Cork's swap path, allowing the attacker to withdraw the underlying wstETH that backed the original market.
5. Drained 3,761 wstETH and converted it to ETH within 16 minutes.

Aftermath

• Cork paused all market operations and published a detailed post-mortem.
• The team coordinated with white-hat investigators on tracing; partial recovery via cross-exchange cooperation followed but did not return the bulk of the funds.
• The exploit became a notable case study in Uniswap v4 hook risks, given that the malicious hook was central to bypassing Cork's authorisation logic.

Why it matters

Cork Protocol is one of the first major incidents in the post-Uniswap v4 era where the hooks mechanism — a deliberately powerful primitive that lets external contracts intercept pool operations — became a load-bearing component of an exploit. Hooks let protocols compose elegantly, but they also let attackers compose maliciously in ways that protocols implementing their own access control may not anticipate.

The structural lesson, well-documented but newly-relevant for v4:

1. Permissionless market creation requires strict validation of every input — including transitive checks against the state of other markets that the new market might reference.
2. Hook integrations must be treated as untrusted callers by default, regardless of how the integrating protocol is configured.
3. Even well-audited protocols can ship novel vulnerabilities when they sit at the intersection of multiple primitive composability layers. Cork's audit had reviewed each component in isolation; the exploit combined them.

The Cork incident is also notable for the speed of the drain (16 minutes) and the precision of the attack (executing just before the legitimate market's expiry). These signal an attacker with deep familiarity with the protocol — possibly from prior research or insider knowledge of the codebase.