Audit log

Every state-changing event for Cork Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-01 17:47:24Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,640,175

   sig

   4XUsQAJUCiSK…rqxaMVEScopyexplorer ↗

   hash

   7r3KxZiMSjce…WUpGyRoJcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (18181 B) ▸

   {"actor":"system:backfill","investigation_id":"f8750343-b24f-46fb-a1a2-526e01032f36","kind":"publish","page_slug":"cork-protocol","published_at":"2026-06-01T17:47:24.849Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Cork Protocol","sections":[{"content":"On May 28, 2025 at approximately 11:23–11:39 UTC, an attacker exploited multiple vulnerabilities in Cork Protocol's smart contracts, draining 3,761 wstETH (approximately $12 million) from the wstETH:weETH Liquidity Vault. The attacker's wallet address is 0xEA6f30e360192bae715599E15e2F765B49E4da98, with the malicious contract deployed at 0x9Af3dCE0813FD7428c47F57A39da2F6Dd7C9bb09. The funding source for the attack wallet was traced to a service provider identified as Swapuz. The stolen wstETH was rapidly converted to ETH. Following the exploit, Cork Protocol paused all market contracts.","heading":"May 2025 Smart Contract Exploit","severity":"critical","sources":[{"credibility":1,"name":"DeFi Platform Cork Protocol Suffers $12M Smart Contract Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/05/28/a16z-backed-cork-protocol-suffers-usd12m-smart-contract-exploit"},{"credibility":1,"name":"Cork Protocol suffers $12M smart contract hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/cork-protocol-hacked-contracts-paused"},{"credibility":1,"name":"Cork Protocol Post-Mortem — cork.tech","type":"official","url":"https://www.cork.tech/blog/post-mortem"}]},{"content":"Security researchers identified three overlapping vulnerabilities that combined to enable the exploit. The primary flaw was a missing access control modifier on the `beforeSwap` function within the CorkHook contract: the function lacked an `onlyPoolManager` guard, allowing any external caller to invoke it with arbitrary parameters and manipulate token settlement flows. A secondary vulnerability allowed the protocol to accept DS (Depeg Swap) tokens from one market as redemption assets (RA) in a newly created market, enabling cross-market token contamination. A tertiary issue involved a risk premium miscalculation near token expiry that permitted conversion of a trivially small amount of collateral (0.0000029 wstETH) into substantial derivative positions worth 3,760.88 weETH-CT. The attacker chained these flaws: creating a fraudulent market with legitimate DS tokens as base assets, calling `beforeSwap` without authorization to deposit fake tokens, receiving counterfeit CT/DS positions, and then redeeming those positions against the legitimate protocol for real wstETH. Security firm Dedaub, SlowMist, Halborn, CertiK, and QuillAudits each published independent post-exploit analyses confirming these root causes.","heading":"Technical Vulnerability Analysis","severity":"critical","sources":[{"credibility":2,"name":"The $11M Cork Protocol Hack: A Critical Lesson in Uniswap V4 Hook Security — Dedaub","type":"research","url":"https://dedaub.com/blog/the-11m-cork-protocol-hack-a-critical-lesson-in-uniswap-v4-hook-security/"},{"credibility":2,"name":"Explained: The Cork Protocol Hack (May 2025) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-cork-protocol-hack-may-2025"},{"credibility":2,"name":"Exploit Analysis: Cork Protocol Attacked, Over $10M Lost — SlowMist","type":"research","url":"https://slowmist.medium.com/exploit-analysis-cork-protocol-attacked-over-10-million-lost-75de9f229307"},{"credibility":2,"name":"Cork Protocol Incident Analysis — CertiK","type":"research","url":"https://www.certik.com/resources/blog/cork-protocol-incident-analysis"},{"credibility":2,"name":"How a Critical Bug in Cork Protocol Led to a $12M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/cork-protocol-hack-explained"},{"credibility":2,"name":"Cork Protocol Rekt — Rekt News","type":"news_article","url":"https://rekt.news/cork-protocol-rekt"}]},{"content":"Prior to the exploit, Cork Protocol had completed four independent security audits: Quantstamp (October), Sherlock (September), Runtime Verification (October), and a Cantina/Spearbit engagement. The protocol had also maintained a $100,000 bug bounty program on Cantina. Despite this coverage, Cork's own post-mortem acknowledged that the access control vulnerability in the CorkHook contract 'none of our audits flagged.' At least three of the four audit firms — Sherlock, Runtime Verification, and Quantstamp — explicitly excluded CorkHook from their defined scope. Runtime Verification stated: 'This was a time-constrained verification effort...Verification of hook functions was out of scope, again due to time constraints.' The scope of Cantina's and Spearbit's reviews with regard to the hook remained a point of contention, with Spearbit's report reportedly not publicly released at the time of post-exploit coverage. This episode illustrated how audit scope fragmentation can leave critical attack surfaces unreviewed even when multiple firms are engaged.","heading":"Audit Coverage Gaps","severity":"high","sources":[{"credibility":1,"name":"Cork Protocol Post-Mortem — cork.tech","type":"official","url":"https://www.cork.tech/blog/post-mortem"},{"credibility":2,"name":"Cork Protocol Rekt — Rekt News","type":"news_article","url":"https://rekt.news/cork-protocol-rekt"},{"credibility":3,"name":"Jack Sanford on X: How Responsible are Spearbit and Cantina for Cork's $12M Hack?","type":"social_media","url":"https://x.com/jack__sanford/status/1935306618998038680"},{"credibility":1,"name":"Audits — Cork Protocol Docs","type":"official","url":"https://docs.cork.tech/smart-contracts/v1/audits"}]},{"content":"Following the exploit, Cork Protocol stated it engaged US law enforcement and forensic security experts, and attempted multiple rounds of public and private contact with the attacker in an attempt to negotiate fund recovery. These efforts did not result in the return of funds. Approximately $20 million in assets across five other markets remained locked in Cork Liquidity Vaults that were not affected by the exploit, though all protocol functions were paused pending contract upgrades. On June 25, 2025, blockchain security firm PeckShield flagged renewed activity from the attacker's wallet, the first since the May 28 exploit. The attacker transferred a total of 4,520 ETH (approximately $11 million) to Tornado Cash in two tranches: approximately 1,410 ETH followed by approximately 3,110 ETH. Separately, the attacker sent 10 ETH to a Tornado Cash developer legal defense fund and left on-chain messages criticizing audit firms, alleging that 'Sherlock missed it' and accusing named security researchers from firms including Dedaub, Halborn, Three Sigma, and Blocksec of 'promoting brands by analyzing bugs they couldn't detect themselves.' The sophistication of the on-chain communication led some analysts to speculate the attacker may be an established security researcher.","heading":"Fund Recovery and Attacker Behavior","severity":"critical","sources":[{"credibility":2,"name":"Cork Protocol Exploiter Launders Stolen Funds via Tornado Cash, Donates 10 ETH to Developers Legal Fund — Crypto.news","type":"news_article","url":"https://crypto.news/cork-protocol-exploiter-launders-stolen-funds-via-tornado-cash-donates-10-eth-to-developers-legal-fund/"},{"credibility":2,"name":"Cork Protocol Exploiter Resurfaces, Launders $11M and Donates to Tornado Cash Defense Fund — Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560604835357"},{"credibility":2,"name":"'Sherlock Missed It': Cork Hacker Slams Audit Firms in On-Chain Messages — Protos","type":"news_article","url":"https://protos.com/sherlock-missed-it-cork-hacker-slams-audit-firms-in-on-chain-messages/"},{"credibility":1,"name":"Cork Protocol Post-Mortem — cork.tech","type":"official","url":"https://www.cork.tech/blog/post-mortem"}]},{"content":"Cork Protocol was founded in 2023 by Phil Fogel and Rob Schmitt. Fogel previously co-founded FlowCarbon (a tokenized carbon credits platform) and attended Cornell University. Schmitt previously co-founded Vultus, a satellite data and AI company, and attended Lund University. The protocol's core product is the Depeg Swap (DS), a tokenized instrument functionally analogous to a credit default swap (CDS) in traditional finance. Depositing collateral issues two derivative tokens: a Cork Principal Token (cPT), representing the role of an insurance underwriter, and a Cork Swap Token (cST), representing the insurance buyer. DS tokens allow redemption of collateral if a pegged asset — such as a stablecoin, liquid staking token (LST), or yield-bearing token — depegs. Target assets at launch included wstETH, weETH, USDe, and PT-tokens associated with Lido and Ethena integrations. The public beta launched on Ethereum mainnet in March 2025 after a testnet competition in late 2024.","heading":"Protocol Mechanism and Background","severity":"low","sources":[{"credibility":1,"name":"What is Cork? — Cork Protocol Docs","type":"official","url":"https://docs.cork.tech/"},{"credibility":2,"name":"Cork Protocol Joins a16z Crypto CSX Fall 2024 Cohort — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/press-releases/cork-protocol-joins-a16z-cryptos-csx-fall-2024-cohort-with-investor-announcement-and-testnet-trading-competition/"},{"credibility":2,"name":"Phil Fogel — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/phil-fogel-b52c"},{"credibility":2,"name":"Robert Schmitt — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/robert-schmitt-c8e2"}]},{"content":"Cork Protocol raised a $5.5 million seed round in September 2024 led by a16z Crypto Startup Accelerator (CSX), with participation from OrangeDAO, Road Capital, BitGo, Steakhouse Financial, and others. The protocol was selected for the a16z CSX Fall 2024 cohort, providing additional institutional credibility at launch. A second $5.5 million seed round was announced in January 2026 coinciding with the Cork Phoenix relaunch. No governance token or public token sale had been publicly announced or launched as of the most recent reporting; no rug pull indicators were identified in available sources.","heading":"Funding and Investors","severity":"low","sources":[{"credibility":2,"name":"Cork Protocol Secures Funding and Joins a16z CSX — ICO Holder","type":"news_article","url":"https://icoholder.com/en/news/cork-protocol-secures-funding-and-joins-a16z-csx-to-launch-defi-solution-for-pegged-assets"},{"credibility":2,"name":"Seed Round — Cork Protocol — Crunchbase","type":"other","url":"https://www.crunchbase.com/funding_round/cork-protocol-seed--3fe8db94"},{"credibility":2,"name":"Cork Protocol Funding Rounds — CryptoRank","type":"other","url":"https://cryptorank.io/ico/cork-protocol"}]},{"content":"Following the exploit, Cork Protocol paused all markets and began a comprehensive rebuild of the protocol. The rebuilt version, branded Cork Phoenix, launched on Ethereum mainnet on January 19, 2026. The Phoenix version included three new smart contract audits (Quantstamp, Cantina, Sherlock), formal verification by Runtime Verification, and front-end penetration testing with Sayfer — with the team stating these audits were conducted with CorkHook contracts explicitly in scope. The protocol re-integrated with Lido and Ethena partners. Cork V1, the legacy version affected by the exploit, had a reported TVL of approximately $4,900 as of available data, consistent with funds remaining inaccessible during the recovery process. User compensation plans were described as in progress, with Cork stating affected users should reach out via direct message on X, though no public compensation fund announcement had been confirmed in available sources.","heading":"Post-Exploit Recovery and Cork Phoenix Relaunch","severity":"high","sources":[{"credibility":2,"name":"Cork Protocol: Programmable Risk Layer — Web3 Research Global","type":"news_article","url":"https://www.web3researchglobal.com/p/cork-protocol"},{"credibility":1,"name":"Cork Protocol Post-Incident: Lessons Learned and Actions Taken — cork.tech","type":"official","url":"https://www.cork.tech/blog/lessons-learned"},{"credibility":2,"name":"Cork V1 TVL Stats — DeFiLlama","type":"on_chain","url":"https://defillama.com/protocol/cork-v1"}]}],"sources_used":[{"name":"DeFi Platform Cork Protocol Suffers $12M Smart Contract Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/05/28/a16z-backed-cork-protocol-suffers-usd12m-smart-contract-exploit"},{"name":"Cork Protocol suffers $12M smart contract hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/cork-protocol-hacked-contracts-paused"},{"name":"Cork Protocol Post-Mortem — cork.tech","type":"official","url":"https://www.cork.tech/blog/post-mortem"},{"name":"The $11M Cork Protocol Hack: Uniswap V4 Hook Security — Dedaub","type":"research","url":"https://dedaub.com/blog/the-11m-cork-protocol-hack-a-critical-lesson-in-uniswap-v4-hook-security/"},{"name":"Explained: The Cork Protocol Hack (May 2025) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-cork-protocol-hack-may-2025"},{"name":"Exploit Analysis: Cork Protocol Attacked — SlowMist","type":"research","url":"https://slowmist.medium.com/exploit-analysis-cork-protocol-attacked-over-10-million-lost-75de9f229307"},{"name":"Cork Protocol Incident Analysis — CertiK","type":"research","url":"https://www.certik.com/resources/blog/cork-protocol-incident-analysis"},{"name":"How a Critical Bug in Cork Protocol Led to a $12M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/cork-protocol-hack-explained"},{"name":"Cork Protocol Rekt — Rekt News","type":"news_article","url":"https://rekt.news/cork-protocol-rekt"},{"name":"'Sherlock Missed It': Cork Hacker Slams Audit Firms in On-Chain Messages — Protos","type":"news_article","url":"https://protos.com/sherlock-missed-it-cork-hacker-slams-audit-firms-in-on-chain-messages/"},{"name":"Cork Protocol Exploiter Launders Stolen Funds via Tornado Cash — Crypto.news","type":"news_article","url":"https://crypto.news/cork-protocol-exploiter-launders-stolen-funds-via-tornado-cash-donates-10-eth-to-developers-legal-fund/"},{"name":"Cork Protocol: Programmable Risk Layer — Web3 Research Global","type":"news_article","url":"https://www.web3researchglobal.com/p/cork-protocol"},{"name":"What is Cork? — Cork Protocol Docs","type":"official","url":"https://docs.cork.tech/"},{"name":"Audits — Cork Protocol Docs","type":"official","url":"https://docs.cork.tech/smart-contracts/v1/audits"},{"name":"Cork Protocol Joins a16z CSX Fall 2024 — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/press-releases/cork-protocol-joins-a16z-cryptos-csx-fall-2024-cohort-with-investor-announcement-and-testnet-trading-competition/"},{"name":"Phil Fogel — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/phil-fogel-b52c"},{"name":"Robert Schmitt — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/robert-schmitt-c8e2"},{"name":"Cork Protocol Post-Incident Lessons Learned — cork.tech","type":"official","url":"https://www.cork.tech/blog/lessons-learned"},{"name":"Cork V1 TVL Stats — DeFiLlama","type":"on_chain","url":"https://defillama.com/protocol/cork-v1"},{"name":"Cork Protocol exploited for $12 million — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/?id=cork-protocol-hack"}],"summary":"Cork Protocol is an Ethereum-based DeFi protocol offering tokenized depeg protection instruments analogous to credit default swaps, founded in 2023 by Phil Fogel and Rob Schmitt and backed by a16z CSX. On May 28, 2025, the protocol suffered a critical smart contract exploit resulting in approximately $12 million in losses, attributed to missing access controls in its Uniswap V4 hook integration. Stolen funds were subsequently laundered through Tornado Cash; a rebuilt version dubbed Cork Phoenix launched on mainnet in January 2026.","timeline":[{"date":"2023-01-01","event":"Cork Protocol founded by Phil Fogel and Rob Schmitt.","source":"Crunchbase / Cork Protocol","source_url":"https://www.crunchbase.com/organization/cork-protocol"},{"date":"2024-09-09","event":"Cork Protocol joins a16z Crypto CSX Fall 2024 cohort and announces $5.5M seed round led by a16z CSX with OrangeDAO, Road Capital, BitGo, and Steakhouse Financial.","source":"CryptoSlate / Chainwire","source_url":"https://cryptoslate.com/press-releases/cork-protocol-joins-a16z-cryptos-csx-fall-2024-cohort-with-investor-announcement-and-testnet-trading-competition/"},{"date":"2025-03-01","event":"Cork Protocol public beta launches on Ethereum mainnet with Lido, EtherFi, Ethena, and Sky integrations.","source":"Cork Blog","source_url":"https://www.cork.tech/blog/beta"},{"date":"2025-05-28","event":"Exploit executed at approximately 11:23–11:39 UTC. Attacker drains 3,761 wstETH (~$12M) from wstETH:weETH Liquidity Vault by exploiting missing access controls in CorkHook and cross-market token contamination. Protocol pauses all markets.","source":"CoinDesk / CoinTelegraph / Cork Post-Mortem","source_url":"https://www.coindesk.com/business/2025/05/28/a16z-backed-cork-protocol-suffers-usd12m-smart-contract-exploit"},{"date":"2025-06-25","event":"Attacker resurfaces; transfers 4,520 ETH (~$11M) to Tornado Cash in two tranches and sends 10 ETH to a Tornado Cash developer legal defense fund. On-chain messages left criticizing multiple audit firms.","source":"Crypto.news / Protos","source_url":"https://crypto.news/cork-protocol-exploiter-launders-stolen-funds-via-tornado-cash-donates-10-eth-to-developers-legal-fund/"},{"date":"2026-01-19","event":"Cork Phoenix launches on Ethereum mainnet after comprehensive protocol rebuild, new audits (Quantstamp, Cantina, Sherlock, Runtime Verification), and Lido/Ethena re-integrations. Second $5.5M seed round announced.","source":"Web3 Research Global / Cork Blog","source_url":"https://www.web3researchglobal.com/p/cork-protocol"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 9d17aae9-1cef-4302-b9ac-5f474c98f0d2copy