Key Highlights:

• Cork Protocol has taken the precautionary step of pausing all markets after a smart contract exploit costing $12 million.
• Debaub, a security auditing firm, reported that the breach occurred due to a manipulation of the smart contract’s exchange rate, where fake tokens were issued by the attacker.
• The protocol is financially backed by a16z and OrangeDAO.

Overview of the Incident

The decentralized finance (DeFi) platform Cork Protocol was recently compromised, resulting in the theft of $12 million worth of wrapped staked ether (wstETH). Blockchain security monitor Cyvers highlighted that the exploit began when a malicious contract was provisioned by a wallet likely backed by a service provider.

In addition, it was noted that the stolen $12 million in wstETH was rapidly exchanged for ETH.

Cork Protocol had received financial backing from a16z crypto and OrangeDAO in September of last year.

Cork stated via a post on X that there was a critical security event affecting the wstETH:weETH market at 11:23 UTC and confirmed their decision to pause all other markets as they investigate the root cause of this breach.

Further Analysis

According to Debaub, the attacker seems to have exploited an incidence related to the smart contract’s exchange rate, enabled by issuing bogus tokens.

“There was a security incident affecting the wstETH:weETH market at 11:23 UTC today,” Cork communicated through X.

This substantial security breach emphasizes the vulnerabilities present in the DeFi sector, calling for more robust protective measures.