In a swift and partially thwarted attack, Meta Pool, a liquid staking protocol, was exploited for the unauthorized minting of 9,705 mpETH tokens worth nearly $27 million. However, due to low liquidity and a rapid response by the protocol’s early detection systems, the attacker was only able to flee with approximately 52.5 ETH (around $132,000).
How the Exploit Happened
According to Meta Pool, the attack targeted a vulnerability in the platform’s “fast unstake” feature. This functionality allows users to bypass the typical unstaking waiting period under certain conditions. However, the attacker abused this logic via the ERC4626 mint() function, leading to the creation of millions worth of mpETH tokens without depositing any real collateral.
Blockchain security firm PeckShield confirmed that a “critical bug” in the smart contract enabled the hacker to mint tokens for free.
Liquidity Constraints Limit the Damage
Despite minting a large volume of mpETH, the attacker’s actual profit was limited to $132,000. This is because mpETH had insufficient liquidity across swap pools, restricting the exploiter’s ability to convert the tokens into valuable assets.
The exploit primarily drained Ethereum and Optimism swap pools, but Meta Pool emphasized that the Ethereum staked on the protocol remains safe and is still being validated through the SSV Network.
Immediate Action and Recovery Plan
Meta Pool credited its early detection systems for quickly identifying the exploit and pausing the affected contract, which prevented further losses. The platform has assured users that:
- All Ethereum staked is secure and still generating rewards.
- A full post-mortem and recovery strategy will be published within the next two days.
- Reimbursement will be provided to users impacted by the exploit.
The mpETH contract will remain paused until the investigation is concluded.
Ongoing Trend of DeFi Exploits
This incident adds to the growing list of DeFi exploits in 2025, including:
- $8.3 million loss at Alex Protocol on the Stacks blockchain (June 6).
- $11.5 million breach at Taiwan-based BitoPro Exchange (May 8).
According to cybersecurity firm CertiK, $2.1 billion has already been stolen across the crypto space this year, with hackers increasingly targeting logic flaws and human vulnerabilities over pure code.
Conclusion
While Meta Pool narrowly avoided a catastrophic loss, the exploit highlights ongoing vulnerabilities in DeFi protocols—especially around complex unstaking features and minting functions. The incident reinforces the need for rigorous audits, liquidity risk management, and real-time monitoring tools.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.