Meta Pool hit with $27M exploit, but attacker flees with only $132K

A hacker has managed to make off with only around $132,000 from their attack on the crypto protocol Meta Pool, which created $27 million worth of tokens they could have stolen. The attack was foiled by low liquidity and a pause on the exploited smart contract.

The attacker was able to mint 9,705 of the liquid staking protocol’s  token  mpETH worth nearly $27 million, but only managed to steal around 52.5 Ether (ETH), worth just over $132,000 from the liquidity swap pools, Meta Pool said in a blog  post  on Tuesday. 

It added that some of the affected pools had low liquidity and volumes, making it harder for the attack to be carried out, and its “early detection systems” helped its team quickly pause the affected  contract , preventing “further unauthorized activity or additional losses.”

Hacker exploited “fast unstake” function

In an X  post  on Tuesday, Meta Pool co-founder Claudio Cossio said the hacker exploited a “fast unstake functionality,” allowing them to mint thousands of mpETH tokens.

Generally,  after unstaking crypto , there is a waiting period before it becomes transferable; however, with fast unstaking, also known as flash unstaking, the waiting period is voided, provided specific conditions are met.

Blockchain security firm PeckShield  posted  to X that the staking contract had a “critical bug,” which allowed the hacker to mint mpETH for free, but the “low liquidity of mpETH limited the profit.”

  Source: Claudio Cossio

The Meta Pool team said that the attack “involved the unauthorized minting of tokens through the ERC4626 mint() function.”

Exploiter drains swap pools 

After minting the mpETH, the exploiter used most of it to drain the swap pools of 52.5 ETH, affecting several Ethereum mainnet and Optimism pools. 

The Meta Pool team said, however, that an affected Optimism pool had “low liquidity and volume.”

“It needs to be cleared that all the Ethereum staked is safe, delegated in the SSV Network operators which is validating blocks and accruing staking rewards on the Ethereum mainnet,” the Meta Pool team said.

A full post-mortem of the incident is expected in the next two days, along with a recovery plan, according to the Meta Pool team. In the meantime, the affected mpETH contract will remain paused while the investigation continues. 

Meta Pool promised to “reimburse the assets lost by this incident” and ensure users are “made whole.” 

Crypto protocols hit with exploits

Alex Protocol, a Bitcoin decentralized finance platform on the Stacks blockchain,  suffered an exploit on June 6 , with $8.3 million in losses after a bad actor used a flaw in the self-listing verification logic to drain liquidity from several asset pools. 

Meanwhile, Taiwan-based crypto exchange BitoPro confirmed on June 2 that a  security breach led to the loss  of more than $11.5 million in assets from its hot wallets on May 8.