Cyber Incident Victim: Cork Protocol
Date:
May 2025
Location:
—
Summary
Cork Protocol experienced a smart contract exploit that resulted in the loss of approximately $12 million in digital assets, with the attacker stealing about 3,761 Wrapped Staked Ether that was quickly converted to Ether. The hack was traced to a transaction funded by an address ending in “762B” and occurred at 11:23:19 UTC, prompting the platform to pause all contracts while an investigation is underway. This incident adds to a series of recent DeFi breaches that have shaken confidence in the sector and highlighted ongoing security challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 28, 2025, at 11:23:19 UTC, Cork Protocol experienced a smart contract exploit that resulted in the loss of approximately $12 million in digital assets, according to cybersecurity firm Cyvers. The attacker, whose funding address ended in “762B,” stole roughly 3,761 Wrapped Staked Ether (wstETH) and converted the tokens to Ether (ETH) almost immediately after the exploit. Cyvers reported that the exploit was funded by the aforementioned address and that the stolen wstETH was swiftly swapped for ETH. In response, Cork Protocol co‑founder Phil Fogel posted on X that the team was investigating a potential exploit and had paused all contracts, promising to share more information later. The protocol’s contracts were paused as part of the immediate containment effort.
The loss of roughly $12 million represented a significant impact on Cork Protocol’s holdings and contributed to a broader trend of security incidents in the decentralized finance sector. The article notes that the Cork Protocol exploit is the latest hacking incident to affect the crypto industry, with cybersecurity continuing to be a major issue that lowers consumer confidence. Industry executives have been prompted to call for improved security measures following the event. The immediate response included the suspension of all contracts and an ongoing investigation led by the protocol’s team and external analysts. No further details about the attacker’s identity or the specific vulnerability exploited were disclosed in the source material beyond the address suffix and the timing of the theft.
The article also references other recent hacks for context, including the May 22 exploit of the Cetus decentralized exchange on the Sui network, which resulted in $223 million in stolen funds. Following the Cetus hack, Sui validators froze a majority of the funds, sparking debate about network centralization and the appropriate actions for validators after a major incident. The Cetus team announced a $6 million bounty for white‑hat hackers to assist in returning the remaining stolen assets, and blockchain security firm Dedaub released a post‑mortem report attributing the Cetus exploit to a manipulation of liquidity parameters that evaded a most significant bits check. Additionally, the article cites a Hacken CEO observation that there has been “no shift” in crypto security despite April’s hacks totaling $357 million. These related incidents are presented in the source to illustrate the prevailing security challenges in the cryptocurrency ecosystem at the time of the Cork Protocol breach.