- Meta Pool has averted a potential $27 million exploit after a user minted thousands of tokens
- Low liquidity meant the attacker was only able to convert a small fraction, worth about $132,000, before devs halted the contract
- The exploit was traced to a vulnerability in the ERC-4626 `mint()` function used in the platforms fast unstake mechanism
DeFi protocol Meta Pool has successfully contained a high-risk exploit that could have resulted in the loss of $27 million. Quick thinking by developers and low liquidity contrived to limit the attackers actual gains to a relatively minor $132,000 after they had minted nearly $30 million worth of tokens. The liquid staking platform has initiated an investigation into the bug, which allowed unauthorized minting of mpETH and is preparing a full reimbursement plan for users affected by the exploit.
Exploiter Drowns in Shallow Pool
The incident occurred on June 17 when Meta Pools internal monitoring system flagged abnormal behavior involving its fast unstake feature, a function that allows users to bypass the traditional withdrawal cooldown period. The attacker managed to mint approximately 9,705 mpETH, which would ordinarily be valued around $27 million, but because liquidity on the protocol was relatively shallow, they were only able to offload 52.5 ETH , worth around $132,000.
Spotting the issue, developers froze the contract to prevent further abuse and promised an investigation into the matter:
ERC-4626 Minting Vulnerability to Blame
Security analysts, including those at blockchain security firm PeckShield, identified the flaw as a logic error in Meta Pools implementation of the ERC-4626 `mint()` function. This specific vulnerability was linked to the fast unstake option and allowed for zero-cost minting of mpETH, something that the attacker took full advantage of.
Meta Pool co-founder Claudio Cossio acknowledged the issue in a public statement on X, noting that the exploit circumvented the normal cooldown protections and should never have been accessible in that way:
Meta Pool Promises Full Reimbursement
Upon discovering the exploit, Meta Pools team acted quickly to disable the affected contract, halting further interactions that could have deepened the damage. In a public update , the team reassured users that their Ethereum deposits remain safe and are still being staked through SSV Network validators, emphasizing, We want to make it very clear: all ETH staked is secure and continues to accrue rewards.
A full report and compensation strategy are expected within the next 48 hours, and the affected contract will remain frozen until a secure upgrade is completed. This narrowly averted crisis underscores the importance of automated detection tools and rapid developer response in the DeFi space, with Meta Pools quick actions (and a bit of luck) managing to preserve user funds.
