‘Sherlock missed it’: Cork hacker slams audit firms in on-chain messages

The hacker behind last month’s $12 million exploit of Cork Protocol has weighed in on a debate between squabbling crypto security audit firms.

Messages left on-chain from the hacker’s address appear to set the record straight about the root causes of the incident and lament the clout-chasing of some auditors in the wake of such attacks.

The comments came in response to a post made on Wednesday by Jack Sanford, CEO of security audit firm Sherlock. Sandford accuses competitors Spearbit and Cantina of missing the vulnerability and covering up their failures.

In the first message, the hacker states “sherlock missed it.” Minutes later, they moved 4,530 ether — currently valued at $11.6 million — to a new address.

The debate

On May 28, a16z-backed Cork Protocol announced a “security incident affecting the wstETH:weETH market” and a temporary pause of all markets. The post-mortem report that followed stated that “the attacker exploited an access control vulnerability in the Cork Hook, which none of our audits flagged.”

However, Sanford’s post points to the commit hashes submitted in various auditors’ reports, as evidence that the supposed vulnerability did not fall within their scope.

He then highlights Cantina’s failure to provide such hashes and how Spearbit is yet to release their report publicly, despite it being overdue.

In the initial message left by the hacker, they seemingly correct the assumed root cause of the exploit, stating “uniswap hook is not problem,” pouring cold water on the idea that the bug was only present in later versions of the code.

The dressing-down

The attacker then followed up with “a really big bombshell,” written in Estonian, in which they appear to contradict themselves by stating that “Sherlock didn’t miss it,” and that “there are many ways to take DS, not just the Uniswap hook.”

He warns that all companies that missed the initial bug “should not be trusted.”

Somewhat ironically, the hacker’s main beef appears to be with blockchain security companies that capitalize on the attention brought by hacks.

Firms that “failed to detect the real problem” in their assessments allegedly include Dedaub, Three Sigma, Halborn, Blocksec, and many others.

The hacker says firms that look for promotion by releasing analysis before the official post-mortem “are not recommended.”

In a final message, sent hours later, the hacker doubles down on its attack on audit firms that “write nonsense about bugs to promote their brands and profit from the efforts of others.”

They call out Dedaub’s Neville Grech in particular, accusing him of “promoting your brands by analyzing bugs that you can’t detect yourself.”