Meta Pool exploited for $133k after attacker mints $27m worth of tokens

Liquidity staking protocol Meta Pool has suffered a contract exploit that led to unauthorized token minting and losses of over $133,000.

Meta Pool was able to contain the incident before further damage was done, according to a June 17 blog post.

According to the team, the attack was identified through “early detection systems” and support from blockchain security firm Blocksec, which helped them respond quickly and pause the mpETH contract to prevent “further unauthorized activity or additional losses.”

The Meta Pool team attributed the incident to a vulnerability in the ERC4626 mint() function of its mpETH contract.

In a separate X post, Meta Pool co-founder Claudio Cossio suggested that the attacker may have exploited the protocol’s fast unstaking feature to bypass the typical unbonding period and mint mpETH without depositing collateral.

The attackers were able to mint 9,705 mpETH tokens, valued at nearly $27 million, using a flaw in the protocol’s Ethereum-based liquid staking contract. However, due to limited liquidity in affected pools, the exploiter was only able to convert the tokens into 52.5 ETH, valued at roughly $133,000 at current prices.

The stolen funds were drained from swap pools across the Ethereum mainnet and Layer 2 networks, including Optimism. 

Meta Pool said the Uniswap pool alone accounted for 37.5 ETH in losses, adding that “most of this liquidity was provided by the Meta Pool DAO.”

A full post-mortem and recovery plan is expected within 48 hours, and the protocol has pledged to reimburse affected users.

The incident did not affect the 913 ETH initially staked through the mpETH contract, which remains secured with SSV Network operators. Meta Pool has also confirmed that its staking contracts on NEAR, Solana, Aurora, Internet Computer, Q, and Story remain unaffected.

This marks the second notable DeFi exploit this month. On June 6, Bitcoin-based platform Alex Protocol suffered an $8.3 million breach after a vulnerability in its self-listing verification logic allowed an attacker to drain multiple asset pools.

Alex Protocol has since announced a Treasury Grant Program to reimburse affected users in a mix of original tokens and USDC.