Jun 2025 - Meta Pool ERC-4626 mpETH Mint Without ETH Flaw Exploited - $142k (Global)
Meta Pool is a multi-chain liquid staking platform offering users the ability to earn rewards by staking digital assets across several blockchains, including Ethereum, Solana, NEAR, ICP, Aurora, and QGOV. By staking, users receive Liquid Staking Tokens (LSTs) that represent their original assets plus rewards, which can be utilized throughout the DeFi ecosystem. With over $114 million in Total Value Locked and more than $15 million in rewards distributed to 18,650 stakers, Meta Pool provides a secure and decentralized pathway to financial freedom.
The platform emphasizes governance through its mpDAO token, empowering the community to participate in key decision-making processes and shape the future of the protocol. Meta Pool positions itself not just as an infrastructure provider, but as a bridge-builder between traditional finance, fintech, and blockchain, with a strong focus on emerging markets and community-driven growth. Security is a top priority, with multiple audits conducted by reputable firms like Halborn, BlockSec, and Nethermind across various chains and smart contracts.
Meta Pool’s ecosystem is supported by trusted custodial and DeFi partners such as Fireblocks, Qredo, Finoa, Rhea.Finance, PiperX, and VEAX Finance. These partnerships enhance its capabilities in asset security, lending, and decentralized trading. The platform maintains transparency through accessible documentation, regular security audits, and a commitment to user-first values. With robust infrastructure and a growing network, Meta Pool continues to push for decentralized, secure, and inclusive financial systems.
The attack "resulted in the unauthorized minting of tokens via the mint() function". PeckShield reported that "the @meta_pool staking contract has a critical bug that allows for free mint of mpETH".
The Meta Pool exploit on June 17, 2025, stemmed from a critical vulnerability in the mint() function of its Ethereum-based mpETH contract. The attacker exploited flaws in Meta Pool’s implementation of the ERC-4626 tokenized vault standard, which governs how deposits and mints should be handled. Two transactions were involved: the first, front-run by a white-hat wallet named "Yoink," attempted to mitigate the damage; the second was the actual attack, where the exploiter successfully minted 9,702 mpETH tokens—worth approximately $27 million—without depositing any ETH.
The core technical flaw was a failure to properly override and secure the mint() function. Meta Pool's contract lacked access control, allowing anyone to call mint() without restriction. Additionally, critical input validation was missing in both the mint and internal _deposit functions, enabling token minting with no ETH transferred. This violated the basic principle of liquid staking, where minted tokens should be backed by deposited assets. The smart contract effectively let users create value from nothing, leaving the system vulnerable to abuse.
Despite the massive on-chain minting, the exploiter could only convert a small portion into real value due to low liquidity and DAO fund structures that limited outflows. Only 52.5 ETH—roughly $130,000—was ultimately withdrawn. While the financial loss was minimal, the incident serves as a crucial reminder that merely adopting token standards like ERC-4626 is not enough; developers must thoroughly understand, validate, and secure every inherited function. QuillAudits’ automated tool, QuillShield, had flagged the issue earlier, emphasizing the need for proactive security testing and code reviews.
Losses were reported by SlowMist as $25k.
While the attacker was able to mint $27m worth of the mpETH token, there was heavily limited liquidity, which allowed for only $25k of redemptions.
There is a report of an additional $117k which was taken by a liquidity provider name yoink.
The team promptly paused the contract to prevent further damage and is now investigating the incident, assessing its impact on DEXs and the OP bridge. It was reported that the contract was immediately paused by the founding team "[t]hanks to early detection".
It appears that the protocol was relaunched and a buyback was initiated to recover the token value.
A significant portion of the lost funds were recovered from a MEV bot who front-ran the attack.
Reportedly, funds taken by the yoink MEV were returned to the protocol.
The remaining losses to the protocol were minimal. It's unclear if there is any further investigation to trace down the funds.
Further Analysis
Meta Pool suffered an exploit due to a critical vulnerability in its Ethereum-based mpETH contract, where a failure to properly secure and validate the mint() function—part of the ERC-4626 standard—allowed an attacker to mint $27 million worth of tokens without depositing any ETH. Despite the large on-chain mint, only around $25,000 was redeemed due to limited liquidity, and an additional $117,000 was briefly taken by a MEV bot named “Yoink,” which later returned the funds. Thanks to early detection, the team immediately paused the contract, launched a recovery and buyback effort, and ultimately contained the losses with minimal impact to the protocol.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Nobitex Hot Wallet Funds Burned In Politically Motivated Attack > > < < Ledger Bought From Seller On Douyin Results In Massive Theft
Sources/Further Reading
Meta Pool exploited - Web3IsGoingGreat (Dec 31)
Meta Pool, a Liquid Staking Protocol, Suffers $27M Exploit - CoinDesk (Dec 31)
PeckShield - "Our analysis shows that the @meta_pool staking contract has a critical bug that allows for free mint of mpETH. This specific tx freely mints 9700+ mpETH ($27m), but the low-liquidity of mpETH limits the profit to ~10 ETH." - Twitter/X (Dec 31)
PeckShield - "Hi @meta_pool you may want to take a look" - Twitter/X (Dec 31)
Attack Transaction - Etherscan (Dec 31)
Meta Pool - "We would like to inform you that earlier today an attack was detected on the mpETH contract on Ethereum, which resulted in the unauthorized minting of tokens via the mint() function. We are reviewing the impact on the different DEXs and the OP bridge. Thanks to early detection, the contract was immediately paused by the founding team, preventing further damage." - Twitter/X (Dec 31)
Meta Pool - "Thank you for sharing. We are currently working to resolve it" - Twitter/X (Dec 31)
@ccossio Twitter (Dec 31)
@meta_pool Twitter (Dec 31)
@meta_pool Twitter (Dec 31)
@meta_pool Twitter (Dec 31)
@meta_pool Twitter (Dec 31)
@meta_pool Twitter (Dec 31)
@ccossio Twitter (Dec 31)
Meta Pool - "From Exploit to Recovery: How 45 ETH Were Saved Thanks to Ethical Hackers. We are pleased to report that the entire amount recovered by MEV Frontrunner @yoink6980 — approximately $117,000 USD — was promptly returned to Meta Pool." - Twitter/X (Dec 31)
Pisces Cris - "It hasn’t been an easy week for the @meta_pool team, but as a community member, I’ve been closely watching how they would respond ...and let me tell you, they did not disappoint." - Twitter/X (Dec 31)
AVBNear - "The @meta_pool DAO has now stopped buybacks as target price reached. Last purchase was ~48 hours." - Twitter/X (Dec 31)
DIA Community Hub - "Meta Pool Recovers Funds After mpETH Incident" - Twitter/X (Dec 31)
Meta Pool - "Our liquid staking token is back on Ethereum. Following the recent security incident, Meta Pool has fully restored functionality and launched a new liquid staking token: $spETH." - Twitter/X (Dec 31)
@mdew_eth Twitter (Dec 31)
Potential Profitless Early Attack Transaction - Etherscan (Dec 31)
How $27M in Stolen Tokens Led to Just $130K in Losses [The Meta Pool Hack] - QuillAudits (Dec 31)
Meta Pool LinkTree (Dec 31)
Meta Pool Twitter/X (Dec 31)
coindesk.com/business/2025/06/17/liquid-staking-protocol-meta-pool-suffers-usd27m-exploit (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|