The hacker behind final month’s $12 million exploit of Cork Protocol has weighed in on a debate between squabbling crypto safety audit corporations.
Messages left on-chain from the hacker’s deal with seem to set the document straight concerning the root causes of the incident and lament the clout-chasing of some auditors within the wake of such assaults.
The feedback got here in response to a put up made on Wednesday by Jack Sanford, CEO of safety audit agency Sherlock. Sandford accuses rivals Spearbit and Cantina of lacking the vulnerability and masking up their failures.
Within the first message, the hacker states “sherlock missed it.” Minutes later, they moved 4,530 ether — at present valued at $11.6 million — to a brand new deal with.
The talk
On Might 28, a16z-backed Cork Protocol introduced a “security incident affecting the wstETH:weETH market” and a short lived pause of all markets. The autopsy report that adopted said that “the attacker exploited an access control vulnerability in the Cork Hook, which none of our audits flagged.”
Nevertheless, Sanford’s put up factors to the commit hashes submitted in varied auditors’ stories, as proof that the supposed vulnerability didn’t fall inside their scope.
He then highlights Cantina’s failure to offer such hashes and the way Spearbit is but to launch their report publicly, regardless of it being overdue.
Within the preliminary message left by the hacker, they seemingly appropriate the assumed root reason for the exploit, stating “uniswap hook is not problem,” pouring chilly water on the concept the bug was solely current in later variations of the code.
The dressing-down
The attacker then adopted up with “a really big bombshell,” written in Estonian, wherein they seem to contradict themselves by stating that “Sherlock didn’t miss it,” and that “there are many ways to take DS, not just the Uniswap hook.”
He warns that every one corporations that missed the preliminary bug “should not be trusted.”
Considerably satirically, the hacker’s predominant beef seems to be with blockchain safety corporations that capitalize on the eye introduced by hacks.
Companies that “failed to detect the real problem” of their assessments allegedly embody Dedaub, Three Sigma, Halborn, Blocksec, and plenty of others.
The hacker says corporations that search for promotion by releasing evaluation earlier than the official autopsy “are not recommended.”
In a closing message, despatched hours later, the hacker doubles down on its assault on audit corporations that “write nonsense about bugs to promote their brands and profit from the efforts of others.”
They name out Dedaub’s Neville Grech specifically, accusing him of “promoting your brands by analyzing bugs that you can’t detect yourself.”
The Cork Protocol perpetrator?
The content material of those later messages suggests the hacker could be a member of the safety researcher neighborhood with an axe to grind. Others actually appear to suppose so.
So he steals 12M, observes the entire drama AND then feedback on it 😅
I’m questioning who that’s now .. the possibility could be very excessive everyone knows him https://t.co/spm4NNTTvd
— CharlesWang (@0xCharlesWang) June 19, 2025
In that case, it wouldn’t be the primary time suspicions had been raised about a longtime determine within the scene being a blackhat. Earlier this 12 months, Nick L. Franklin, a prolific researcher who claimed to have “analyzed every major blockchain hack,” was linked to the $50 million Radiant Capital hack.
