MOne Meta Pro App Allows Anyone To Unwrap Their ETH

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

MOne Meta Pro App Logo/Homepage

mOne, a superapp combining payments, entertainment, and identity management, suffered a security breach due to a vulnerability in its base blockchain infrastructure. Specifically, the `unwrapWETH()` function in the `MPRODoubleRewardAutoStake` contract lacked proper access controls, allowing unauthorized withdrawals. As reported by TenArmor, this flaw was exploited in two transactions, leading to a loss of approximately $26.2k USD. Following the incident, the MetaProApp Twitter/X account went silent, and there have been no official statements, recovery efforts, or clarity on the parties affected or responsible.[1][2][3][4][5][6][7][8]

About MOne Meta Pro App

mOne is an all-in-one superapp designed to seamlessly integrate payment, entertainment, and identity management into a single platform. The app serves as a digital wallet, supporting token portfolios, NFTs, and multi-chain capabilities, making it ideal for managing crypto assets. Users can access a comprehensive Games & Apps library, allowing them to play, transact, and engage in Web3-powered in-game actions, all from within a fullscreen, horizontal-mode interface.

From morning to night, mOne transforms daily routines with a full spectrum of features tailored for modern digital lifestyles. Its “Explorer” mode lets users browse collections, games, and applications, while identity is streamlined through the secure mOne ID. This centralized ID system offers users easy access, enhanced profile controls, and strong security features, creating a personalized and protected environment for more than 15,000 users.

Beyond utility, mOne encourages community interaction and rewards participation with card and cashback features. It supports both users and creators with dedicated portals and documentation, helping foster a vibrant ecosystem. Whether buying, selling, collecting, or playing, mOne offers a unified digital space available on iOS and Android—making it a central hub for all aspects of your online life.


The Reality

Unfortunately, it appears that the part of the app which was on the base blockchain was exploitable, due to a lack of access control on the unwrapETH function.

What Happened

A vulnerability in mOne's staking contract allowed unauthorized ETH withdrawals, resulting in a $26.2k loss.

Key Event Timeline - MOne Meta Pro App Allows Anyone To Unwrap Their ETH
Date Event Description
May 8th, 2025 1:49:00 AM MDT New Website Launched The MetaProApp team announces the launch of their new MOne.my website.
May 11th, 2025 11:21:00 AM MDT Final Twitter/X Post Made The MetaProApp team makes what would be their final post on Twitter/X.
May 14th, 2025 2:04:55 AM MDT First Attack Transaction The first attack transaction is accepted by the Base blockchain.
May 14th, 2025 6:25:37 AM MDT Second Attack Transaction The second attack transaction is accepted by the Base blockchain.
May 14th, 2025 7:44:00 PM MDT TenArmor Tweet Posted TenArmor posts a tweet with an overview of the attack, including both attack transactions and a high level overview of the exploit mechanism.

Technical Details

TenArmor reports that the unwrapWETH() function in the MPRODoubleRewardAutoStake contract lacks proper access control, allowing anyone to withdraw the ETH from the staking contract.

Transaction 1: 0xac6f716c57bbb1a4c1e92f0a9531019ea2ecfcaea67794bbd27115d400ae9b41

Transaction 2: 0x5aba4f3ffc80829b565ac71b0d47a92138db164d571c5c0c604382c3677a0191

Total Amount Lost

TenArmor reports the total amount of losses at $26.2k USD.

The total amount lost has been estimated at $26,000 USD.

Immediate Reactions

It appears that the MetaProApp Twitter/X account has stopped posting publicly following the incident.

Ultimate Outcome

It is unclear what the end result will be. There have been no public announcements made.

Total Amount Recovered

There is no evidence that any funds have been recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

It is unclear if any investigation is ongoing, who is affected by the loss, and who is responsible for the loss.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "Our system has detected multiple suspicious attacks involving #MPRO Lab @metaproapp on #BASE, resulting in an approximately loss of $26.2K. The unwrapWETH() function in the MPRODoubleRewardAutoStake contract lacks proper access control, allowing anyone to withdraw the ETH from the staking contract." - Twitter/X (Accessed Aug 1, 2025)
  2. First Attack Transaction - Basescan (Accessed Aug 1, 2025)
  3. Second Attack Transaction - Basescan (Accessed Aug 1, 2025)
  4. MetaProApp Twitter/X Profile (Accessed Aug 1, 2025)
  5. mOne - My One Superapp - Apple App Store (Accessed Aug 1, 2025)
  6. MetaProApp - "Some call it a site. We call it the front door to something much bigger. Go ahead. Knock." - Twitter/X (Accessed Aug 1, 2025)
  7. MetaProApp - "http://mone.my is now live — a fresh window into the mOne ecosystem. (Accessed Aug 1, 2025)
  8. [Minimal, bold, and built to grow." - Twitter/X Minimal, bold, and built to grow." - Twitter/X] (Accessed Aug 1, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MOne_Meta_Pro_App_Allows_Anyone_To_Unwrap_Their_ETH&oldid=6867"