Meta Pool Avoids $27 Million Exploit
Reading Time: 2 minutes
Meta Pool has averted a potential $27 million exploit after a user minted thousands of tokens
Low liquidity meant the attacker was only able to convert a small fraction, worth about $132,000, before devs halted the contract
The exploit was traced to a vulnerability in the ERC-4626 `mint()` function used in the platform’s fast unstake mechanism
DeFi protocol Meta Pool has successfully contained a high-risk exploit that could have resulted in the loss of $27 million. Quick thinking by developers and low liquidity contrived to limit the attacker’s actual gains to a relatively minor $132,000 after they had minted nearly $30 million worth of tokens. The liquid staking platform has initiated an investigation into the bug, which allowed unauthorized minting of mpETH and is preparing a full reimbursement plan for users affected by the exploit.
Exploiter Drowns in Shallow Pool
The incident occurred on June 17 when Meta Pool’s internal monitoring system flagged abnormal behavior involving its fast unstake feature, a function that allows users to bypass the traditional withdrawal cooldown period. The attacker managed to mint approximately 9,705 mpETH, which would ordinarily be valued around $27 million, but because liquidity on the protocol was relatively shallow, they were only able to offload 52.5 ETH, worth around $132,000.
Spotting the issue, developers froze the contract to prevent further abuse and promised an investigation into the matter:
Attention Community,
We would like to inform you that earlier today an attack was detected on the mpETH contract on Ethereum, which resulted in the unauthorized minting of tokens via the mint() function. We are reviewing the impact on the different DEXs and the OP bridge.…
— Meta Pool (@meta_pool) June 17, 2025
ERC-4626 Minting Vulnerability to Blame
Security analysts, including those at blockchain security firm PeckShield, identified the flaw as a logic error in Meta Pool’s implementation of the ERC-4626 `mint()` function. This specific vulnerability was linked to the fast unstake option and allowed for zero-cost minting of mpETH, something that the attacker took full advantage of.
Meta Pool co-founder Claudio Cossio acknowledged the issue in a public statement on X, noting that the exploit circumvented the normal cooldown protections and should never have been accessible in that way:
Update on ETH exploit on Meta Pool:
– All ETH staked on Meta Pool is SAFU.
– The amount that was taken by the attacker is approx $47,000 USD
– The exploit affected the fast unstake functionality, allowing the attacker to mint mpETH.
– The attacker minted around 10,600 mpETH.
-…
— Claudio Cossio (@ccossio) June 17, 2025
Meta Pool Promises Full Reimbursement
Upon discovering the exploit, Meta Pool’s team acted quickly to disable the affected contract, halting further interactions that could have deepened the damage. In a public update, the team reassured users that their Ethereum deposits remain safe and are still being staked through SSV Network validators, emphasizing, “We want to make it very clear: all ETH staked is secure and continues to accrue rewards.”
A full report and compensation strategy are expected within the next 48 hours, and the affected contract will remain frozen until a secure upgrade is completed. This narrowly averted crisis underscores the importance of automated detection tools and rapid developer response in the DeFi space, with Meta Pool’s quick actions (and a bit of luck) managing to preserve user funds.
The post Meta Pool Avoids $27 Million Exploit appeared first on FullyCrypto.
Filed under: Bitcoin - @ June 18, 2025 10:02 am