A sophisticated hacker attempted to exploit the Meta Pool protocol, minting nearly $27 million worth of tokens, but ultimately only managed to steal approximately $132,000 due to low liquidity in affected pools and swift countermeasures by the protocol team.

Attack Execution and Limitations

According to Meta Pool’s blog post, the attacker exploited a vulnerability in the protocol’s smart contracts to mint 9,705 liquid staking tokens (mpETH). Despite holding these valuable tokens equivalent to nearly $27 million in ETH staked, the criminal was limited by:

• Significantly lower liquidity in affected pools
• Protocol’s early detection systems
• Immediate pause of the compromised smart contract

The actual theft involved approximately 52.5 ETH, valued at roughly $132,000 at current rates.

Technical Exploit Details

Meta Pool’s co-founder Claudio Cossio confirmed the attacker exploited a “fast unstake functionality,” also known as flash unstaking. This bypassed the standard waiting period for unstaking, contingent on meeting specific conditions. Blockchain security firm PeckShield subsequently identified a “critical bug” in the staking contract that enabled unauthorized minting.

The minting occurred through the ERC4626 standard’s mint() function, allowing the attacker to generate mpETH without proper authorization.

Exploit Impact Analysis

Post-exploit analysis reveals the attack affected several Ethereum mainnet and Optimism pools, though the specific pools involved maintained “low liquidity and volume” according to Meta Pool.

Crucially, the protocol emphasized that all staked Ethereum remains secure, with assets delegated through the SSV Network for block validation and earning staking rewards on the Ethereum mainnet.

“All the Ethereum staked is safe, delegated in the SSV Network operators which is validating blocks and accruing staking rewards on the Ethereum mainnet.”

Protocol Response and Recovery

Meta Pool has committed to reimbursing affected users and implementing a comprehensive post-mortem analysis within the next 48 hours. The affected mpETH contract remains paused pending the investigation’s completion.

The protocol has promised to ensure users are “made whole” following the incident.