Finding out Time: 2 minutes
- Meta Pool has averted a likely $27 million exploit after a user minted hundreds of tokens
- Low liquidity supposed the attacker turn out to be once handiest ready to convert a dinky portion, value about $132,000, before devs halted the contract
- The exploit turn out to be once traced to a vulnerability within the ERC-4626 `mint()` characteristic frail within the platform’s hasty unstake mechanism
DeFi protocol Meta Pool has efficiently contained a excessive-risk exploit that would perchance perchance devour resulted within the loss of $27 million. Like a flash pondering by developers and low liquidity contrived to restrict the attacker’s staunch features to a rather minor $132,000 after they had minted practically $30 million value of tokens. The liquid staking platform has initiated an investigation into the computer virus, which allowed unauthorized minting of mpETH and is making ready a fat repayment opinion for users plagued by the exploit.
Exploiter Drowns in Shallow Pool
The incident occurred on June 17 when Meta Pool’s interior monitoring system flagged extraordinary behavior spirited its hasty unstake characteristic, a characteristic that allows users to bypass the old withdrawal cooldown length. The attacker managed to mint roughly 9,705 mpETH, which would perchance perchance well ordinarily be valued around $27 million, however because liquidity on the protocol turn out to be once rather shallow, they were handiest ready to offload 52.5 ETH, value around $132,000.
Recognizing the self-discipline, developers iced over the contract to forestall additional abuse and promised an investigation into the subject:
Consideration Team,
We would prefer to uncover you that earlier this day an assault turn out to be once detected on the mpETH contract on Ethereum, which resulted within the unauthorized minting of tokens through the mint() characteristic. We are reviewing the affect on the diversified DEXs and the OP bridge.…
— Meta Pool (@meta_pool) June 17, 2025
ERC-4626 Minting Vulnerability to Blame
Security analysts, at the side of those at blockchain security agency PeckShield, identified the flaw as a logic error in Meta Pool’s implementation of the ERC-4626 `mint()` characteristic. This particular vulnerability turn out to be once linked to the hasty unstake choice and allowed for zero-mark minting of mpETH, one thing that the attacker took fat best likely thing about.
Meta Pool co-founder Claudio Cossio acknowledged the self-discipline in a public statement on X, noting that the exploit circumvented the long-established cooldown protections and would perchance perchance well aloof never devour been accessible in that methodology:
Update on ETH exploit on Meta Pool:
– All ETH staked on Meta Pool is SAFU.
– The amount that turn out to be once taken by the attacker is approx $47,000 USD
– The exploit affected the hasty unstake performance, allowing the attacker to mint mpETH.
– The attacker minted around 10,600 mpETH.
-…— Claudio Cossio (@ccossio) June 17, 2025
Meta Pool Promises Stout Reimbursement
Upon discovering the exploit, Meta Pool’s team acted instant to disable the affected contract, halting additional interactions that would perchance perchance devour deepened the instruct. In a public change, the team reassured users that their Ethereum deposits stay safe and are aloof being staked through SSV Network validators, emphasizing, “We are attempting to uncover it very definite: all ETH staked is stable and continues to accrue rewards.”
A fat legend and compensation formulation are anticipated interior the subsequent forty eight hours, and the affected contract will stay frozen unless a stable upgrade is performed. This narrowly averted crisis underscores the importance of computerized detection instruments and mercurial developer response within the DeFi situation, with Meta Pool’s instant actions (and somewhat of luck) managing to defend user funds.
