Meta Pool ERC-4626 mpETH Mint Without ETH Flaw Exploited

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Meta Pool Logo/Homepage

Meta Pool suffered an exploit due to a critical vulnerability in its Ethereum-based mpETH contract, where a failure to properly secure and validate the mint() function—part of the ERC-4626 standard—allowed an attacker to mint $27 million worth of tokens without depositing any ETH. Despite the large on-chain mint, only around $25,000 was redeemed due to limited liquidity, and an additional $117,000 was briefly taken by a MEV bot named “Yoink,” which later returned the funds. Thanks to early detection, the team immediately paused the contract, launched a recovery and buyback effort, and ultimately contained the losses with minimal impact to the protocol.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25]

About Meta Pool

Meta Pool is a multi-chain liquid staking platform offering users the ability to earn rewards by staking digital assets across several blockchains, including Ethereum, Solana, NEAR, ICP, Aurora, and QGOV. By staking, users receive Liquid Staking Tokens (LSTs) that represent their original assets plus rewards, which can be utilized throughout the DeFi ecosystem. With over $114 million in Total Value Locked and more than $15 million in rewards distributed to 18,650 stakers, Meta Pool provides a secure and decentralized pathway to financial freedom.

The platform emphasizes governance through its mpDAO token, empowering the community to participate in key decision-making processes and shape the future of the protocol. Meta Pool positions itself not just as an infrastructure provider, but as a bridge-builder between traditional finance, fintech, and blockchain, with a strong focus on emerging markets and community-driven growth. Security is a top priority, with multiple audits conducted by reputable firms like Halborn, BlockSec, and Nethermind across various chains and smart contracts.

Meta Pool’s ecosystem is supported by trusted custodial and DeFi partners such as Fireblocks, Qredo, Finoa, Rhea.Finance, PiperX, and VEAX Finance. These partnerships enhance its capabilities in asset security, lending, and decentralized trading. The platform maintains transparency through accessible documentation, regular security audits, and a commitment to user-first values. With robust infrastructure and a growing network, Meta Pool continues to push for decentralized, secure, and inclusive financial systems.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

A vulnerability in Meta Pool’s mpETH contract allowed an attacker to mint $27 million in tokens without depositing ETH. Due to quick action, low liquidity, and partial fund recovery, losses were limited to under $150,000.

Key Event Timeline - Meta Pool ERC-4626 mpETH Mint Without ETH Flaw Exploited
Date Event Description
June 17th, 2025 12:18:59 AM MDT Potential Original Exploit A potential original exploit without any profit taken.
June 17th, 2025 2:02:59 AM MDT Attack Transaction On Blockchain The attack transaction on the blockchain, as reported by PeckShield.
June 17th, 2025 2:12:00 AM MDT PeckShield Notes Suspicious Transaction PeckShield notes the transaction and that Meta Pool "may want to take a look".
June 17th, 2025 2:45:00 AM MDT PeckShield More Detailed Analysis PeckShield shares a more detailed analysis of the exploit. They report that "[t]his specific tx freely mints 9700+ mpETH ($27m), but the low-liquidity of mpETH limits the profit to ~10 ETH."
June 17th, 2025 7:36:00 AM MDT Meta Pool Public Announcement Meta Pool announces a preliminary post about the exploit. Earlier today, an attack on the mpETH contract on Ethereum was detected, involving unauthorized token minting via the mint() function. The team promptly paused the contract to prevent further damage and is now investigating the incident, assessing its impact on DEXs and the OP bridge. Meta Pool is working on analyzing the vulnerability, resolving the issue, and preparing a transparent recovery plan. The contract remains paused as mitigation efforts continue, and the team pledges ongoing updates and support through Discord.
June 20th, 2025 9:28:00 PM MDT Pisces Cris Tweet Twitter/X user Pisces Cris shares a post praising Meta Pool's response to the recent exploit, highlighting the team's swift and tireless efforts to contain the situation and protect user funds. Describing their actions as a model of accountability in Web3, Cris commends the founders’ dedication and reassures the community that those staking with Meta Pool are in capable hands. Despite the unfortunate incident, the response is described as a testament to the project's integrity and resilience.
June 24th, 2025 4:58:00 AM MDT DIA Community Hub Coverage The incident and recovery is featured in the DAI Community Hub listing of events.
June 25th, 2025 2:29:00 PM MDT New Liquid Staking Token Meta Pool launches a new liquid staking token names spETH, which replaces mpETH.

Technical Details

The attack "resulted in the unauthorized minting of tokens via the mint() function". PeckShield reported that "the @meta_pool staking contract has a critical bug that allows for free mint of mpETH".

The Meta Pool exploit on June 17, 2025, stemmed from a critical vulnerability in the mint() function of its Ethereum-based mpETH contract. The attacker exploited flaws in Meta Pool’s implementation of the ERC-4626 tokenized vault standard, which governs how deposits and mints should be handled. Two transactions were involved: the first, front-run by a white-hat wallet named "Yoink," attempted to mitigate the damage; the second was the actual attack, where the exploiter successfully minted 9,702 mpETH tokens—worth approximately $27 million—without depositing any ETH.

The core technical flaw was a failure to properly override and secure the mint() function. Meta Pool's contract lacked access control, allowing anyone to call mint() without restriction. Additionally, critical input validation was missing in both the mint and internal _deposit functions, enabling token minting with no ETH transferred. This violated the basic principle of liquid staking, where minted tokens should be backed by deposited assets. The smart contract effectively let users create value from nothing, leaving the system vulnerable to abuse.

Despite the massive on-chain minting, the exploiter could only convert a small portion into real value due to low liquidity and DAO fund structures that limited outflows. Only 52.5 ETH—roughly $130,000—was ultimately withdrawn. While the financial loss was minimal, the incident serves as a crucial reminder that merely adopting token standards like ERC-4626 is not enough; developers must thoroughly understand, validate, and secure every inherited function. QuillAudits’ automated tool, QuillShield, had flagged the issue earlier, emphasizing the need for proactive security testing and code reviews.

Total Amount Lost

Losses were reported by SlowMist as $25k.

While the attacker was able to mint $27m worth of the mpETH token, there was heavily limited liquidity, which allowed for only $25k of redemptions.

There is a report of an additional $117k which was taken by a liquidity provider name yoink.

The total amount lost has been estimated at $142,000 USD.

Immediate Reactions

The team promptly paused the contract to prevent further damage and is now investigating the incident, assessing its impact on DEXs and the OP bridge. It was reported that the contract was immediately paused by the founding team "[t]hanks to early detection".

Ultimate Outcome

It appears that the protocol was relaunched and a buyback was initiated to recover the token value.

A significant portion of the lost funds were recovered from a MEV bot who front-ran the attack.

Total Amount Recovered

Reportedly, funds taken by the yoink MEV were returned to the protocol.

The total amount recovered has been estimated at $117,000 USD.

Ongoing Developments

The remaining losses to the protocol were minimal. It's unclear if there is any further investigation to trace down the funds.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Meta Pool exploited - Web3IsGoingGreat (Accessed Jul 22, 2025)
  2. Meta Pool, a Liquid Staking Protocol, Suffers $27M Exploit - CoinDesk (Accessed Jul 22, 2025)
  3. PeckShield - "Our analysis shows that the @meta_pool staking contract has a critical bug that allows for free mint of mpETH. This specific tx freely mints 9700+ mpETH ($27m), but the low-liquidity of mpETH limits the profit to ~10 ETH." - Twitter/X (Accessed Jul 22, 2025)
  4. PeckShield - "Hi @meta_pool you may want to take a look" - Twitter/X (Accessed Jul 22, 2025)
  5. Attack Transaction - Etherscan (Accessed Jul 22, 2025)
  6. Meta Pool - "We would like to inform you that earlier today an attack was detected on the mpETH contract on Ethereum, which resulted in the unauthorized minting of tokens via the mint() function. We are reviewing the impact on the different DEXs and the OP bridge. Thanks to early detection, the contract was immediately paused by the founding team, preventing further damage." - Twitter/X (Accessed Jul 22, 2025)
  7. Meta Pool - "Thank you for sharing. We are currently working to resolve it" - Twitter/X (Accessed Jul 22, 2025)
  8. @ccossio Twitter (Accessed Jul 22, 2025)
  9. @meta_pool Twitter (Accessed Jul 22, 2025)
  10. @meta_pool Twitter (Accessed Jul 22, 2025)
  11. @meta_pool Twitter (Accessed Jul 22, 2025)
  12. @meta_pool Twitter (Accessed Jul 22, 2025)
  13. @meta_pool Twitter (Accessed Jul 22, 2025)
  14. @ccossio Twitter (Accessed Jul 22, 2025)
  15. Meta Pool - "From Exploit to Recovery: How 45 ETH Were Saved Thanks to Ethical Hackers. We are pleased to report that the entire amount recovered by MEV Frontrunner @yoink6980 — approximately $117,000 USD — was promptly returned to Meta Pool." - Twitter/X (Accessed Jul 22, 2025)
  16. Pisces Cris - "It hasn’t been an easy week for the @meta_pool team, but as a community member, I’ve been closely watching how they would respond ...and let me tell you, they did not disappoint." - Twitter/X (Accessed Jul 22, 2025)
  17. AVBNear - "The @meta_pool DAO has now stopped buybacks as target price reached. Last purchase was ~48 hours." - Twitter/X (Accessed Jul 22, 2025)
  18. DIA Community Hub - "Meta Pool Recovers Funds After mpETH Incident" - Twitter/X (Accessed Jul 22, 2025)
  19. Meta Pool - "Our liquid staking token is back on Ethereum. Following the recent security incident, Meta Pool has fully restored functionality and launched a new liquid staking token: $spETH." - Twitter/X (Accessed Jul 22, 2025)
  20. @mdew_eth Twitter (Accessed Jul 22, 2025)
  21. Potential Profitless Early Attack Transaction - Etherscan (Accessed Jul 22, 2025)
  22. How $27M in Stolen Tokens Led to Just $130K in Losses [The Meta Pool Hack] - QuillAudits (Accessed Jul 22, 2025)
  23. Meta Pool LinkTree (Accessed Jul 22, 2025)
  24. Meta Pool Twitter/X (Accessed Jul 22, 2025)
  25. [coindesk.com/business/2025/06/17/liquid-staking-protocol-meta-pool-suffers-usd27m-exploit coindesk.com/business/2025/06/17/liquid-staking-protocol-meta-pool-suffers-usd27m-exploit] (Accessed Jul 22, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Meta_Pool_ERC-4626_mpETH_Mint_Without_ETH_Flaw_Exploited&oldid=6810"