Decentralized finance (DeFi) platform Cork Protocol has suffered a smart contract exploit, with hackers reportedly stealing $12 million worth of wrapped staked ether (wstETH).

Blockchain security monitor Cyvers noticed the exploit, stating that the malicious contract was deployed by a wallet likely funded by a service provider.

It added that $12 million worth of wstETH was quickly swapped for ETH.

Cork Protocol received investments from a16z crypto and OrangeDAO in September 2024.

“There was a security incident affecting the wstETH:weETH market at 11:23 UTC today,” Cork wrote on X.

Cork added that it has paused all other markets as a precaution and that it is investigating the root cause.

Security auditing company Debaub wrote that the attacker likely manipulated an issue with the smart contact’s exchange rate by issuing fake tokens.