Cork Protocol Incident Analysis

On May 28, 2025 Cork Protocol suffered a ~$12M loss when an attacker exploited missing parameter checks and the lack of access controls on a Uniswap v4 hook extension (CorkHook) to create a fake market, double-count derivative tokens (weETH8DS-2 / weETH8CT-2 / wstETH derivatives), mint extra tokens and redeem them for 3,761 wstETH. The report provides a detailed step-by-step attack flow, affected contract IDs and addresses, key transactions, and how crafted hook calldata and a malicious exchange rate provider enabled unauthorized minting and fund extraction.