Liquidity Staking Protocol Meta Pool Faces Contract Exploit, Losses of $133,000
Meta Pool, a liquidity staking protocol, recently experienced a contract exploit that resulted in unauthorized token minting and losses exceeding $133,000.
The team at Meta Pool was quick to respond to the incident, managing to contain the exploit before further damage could occur. In a blog post on June 17, they credited their early detection systems and the assistance of blockchain security firm Blocksec for helping them swiftly pause the mpETH contract to prevent additional unauthorized activity and losses.
The exploit was traced back to a vulnerability in the ERC4626 mint() function of the mpETH contract, according to the Meta Pool team. Co-founder Claudio Cossio suggested in a separate post that the attacker may have exploited the protocol’s fast unstaking feature to bypass the typical unbonding period and mint mpETH without depositing collateral.
As a result of the exploit, the attackers were able to mint 9,705 mpETH tokens, valued at nearly $27 million. However, due to limited liquidity in the affected pools, they were only able to convert the tokens into 52.5 ETH, equivalent to approximately $133,000 at current prices.
The stolen funds were withdrawn from swap pools across the Ethereum mainnet and Layer 2 networks, including Optimism. The Uniswap pool alone accounted for 37.5 ETH in losses, with most of the liquidity provided by the Meta Pool DAO.
Meta Pool has committed to providing a full post-mortem and recovery plan within 48 hours, as well as reimbursing affected users for their losses. Fortunately, the incident did not impact the 913 ETH initially staked through the mpETH contract, which remains secure with SSV Network operators. Additionally, Meta Pool has confirmed that its staking contracts on other networks such as NEAR, Solana, Aurora, Internet Computer, Q, and Story were not affected.
This exploit comes on the heels of another DeFi incident earlier this month when the Bitcoin-based platform Alex Protocol suffered an $8.3 million breach due to a vulnerability in its self-listing verification logic. In response, Alex Protocol has announced a Treasury Grant Program to reimburse affected users with a combination of original tokens and USDC.