Meta Pool Stops Hacker Attack: Quick Unstake Vulnerability Allowed Creation of Uncollateralized mpETH Tokens, But Low Liquidity and Quick Response Minimized Damage

Meta Pool, a multi-chain liquid staking protocol, has suffered a critical attack in which an attacker exploited a vulnerability in a smart contract and created mpETH tokens worth about $27 million . However, due to the low liquidity of the affected pools and the rapid response of the Meta Pool team, the hacker was only able to withdraw about 52.5 ETH (approximately $132,000) 1 3 9 .

How the attack happened

The hacker exploited the “fast unstake” feature, which allows users to withdraw funds immediately under certain conditions. This feature typically requires a check of available liquidity before issuing tokens, but the attacker found a way to bypass this check and issued 9,705 mpETH tokens without any real assets backing them 1 3 7 .

Security platform PeckShield described the vulnerability as a “critical bug” because the contract allowed mpETH to be minted freely without any real collateral, which could theoretically lead to unlimited losses. However, the limited liquidity of mpETH in exchange pools significantly limited the attacker’s ability to convert counterfeit tokens into Ethereum 1 9 .

Implications for Meta Pool and Users

The attacker attempted to exchange the created tokens in liquidity pools on the Ethereum and Optimism networks, which allowed him to withdraw only about 52.5 ETH. The Meta Pool team quickly suspended the vulnerable smart contract, which prevented further losses. At the same time, all the main Ethereum placed in staking remained safe, as it is delegated to SSV validators, who continue to verify blocks and receive rewards on the main network 1 3 .

Meta Pool has announced that it has launched an investigation into the incident and plans to provide a full report and recovery measures in the coming days. The affected mpETH contract will remain locked until the investigation is complete. The team has also promised to compensate users for lost assets, guaranteeing damages 1 .

Context and similar incidents

The incident is part of a growing wave of attacks on DeFi protocols. For example, on June 6, DeFi platform Alex Protocol on the Stacks blockchain crashed after $8.3 million was stolen due to a bug in the listing logic. Also, Taiwanese crypto exchange BitoPro confirmed a security incident that resulted in over $11.5 million being stolen from hot wallets 1 .

The significance of the incident

The Meta Pool attack highlights the importance of robust smart contract security and early threat detection systems in the DeFi sector. Despite a massive attempt by an attacker to create counterfeit tokens worth tens of millions of dollars, the combination of low liquidity and the team’s quick response allowed the damage to be minimized and users’ trust in the protocol to be maintained.

Meta Pool, which provides liquid staking for multiple blockchains including Ethereum, NEAR, Solana and others, continues to work on strengthening security and recovering lost funds, which is key to the further development of the decentralized finance market 1 3 9 .

What measures did Meta Pool take to quickly respond to the hacker attack?

Meta Pool took a number of operational measures to quickly respond to the hacker attack, which allowed us to minimize damage and prevent further losses. In particular:

• The early threat detection system allowed the Meta Pool team to quickly identify unauthorized activity and immediately suspend the vulnerable smart contract, which stopped further creation and issuance of counterfeit mpETH tokens 1 .
• Due to this quick response and the low liquidity of the affected exchange pools, the attacker was only able to withdraw around 52.5 ETH (approximately $132,000), despite having created around $27 million worth of tokens 1 .
• The Meta Pool team has blocked the vulnerable mpETH contract until the investigation into the incident is complete, preventing the exploit from being used again 1 .
• The platform also announced plans to fully investigate the incident and develop a recovery plan, including compensation for lost assets to users 1 .

Thus, the key measures were the timely detection of the attack, the rapid shutdown of the vulnerable smart contract and the blocking of further transactions with it, as well as the promise of compensation for damages and a detailed investigation.

How a ‘quick unstake’ vulnerability allowed an attacker to create mpETH tokens

A vulnerability in Meta Pool’s “fast unstake” feature allowed an attacker to create mpETH tokens without any real collateral. This feature typically requires a check for available liquidity before issuing new tokens to avoid issuing “dummy” tokens. However, the hacker found a way to bypass this check, allowing him to illegally mint between 9,705 and 10,600 mpETH tokens without any actual Ethereum collateral 1 2 .

Security platform PeckShield described the vulnerability as a “critical bug” because the contract allowed mpETH to be minted without collateral, effectively creating tokens “out of thin air” 1 2 . The attacker then attempted to exchange the fake tokens for ETH via liquidity pools on the Ethereum and Optimism networks, but was only able to withdraw about 52.5 ETH (approximately $132,000) due to the low liquidity of the pools 1 2 .

Thus, the key problem was to bypass the liquidity check mechanism when quickly withdrawing from staking, which allowed the hacker to generate a large amount of mpETH for free.

Why Low Pool Liquidity Limited the Damage in This Incident

Low liquidity of exchange pools limited the scope of damage in the Meta Pool incident for the following reasons:

• The limited amount of assets in the pools meant that the attacker could not quickly and in large quantities exchange the fake mpETH tokens for Ethereum. Due to the small reserve of liquidity, attempts to sell a large number of tokens resulted in a sharp drop in their price and significant slippage, which made the exchange unprofitable and technically difficult.
• High slippage and price volatility in low-liquidity pools limited the hacker’s ability to convert minted tokens into real ETH at market value. This significantly reduced the amount he was able to withdraw — only about 52.5 ETH (~$132,000), despite creating tokens worth about $27 million.
• Low liquidity gave the Meta Pool team time to react as the attacker’s scale was limited, allowing them to quickly suspend the vulnerable contract and prevent further losses.

Thus, the low liquidity of the pools acted as a natural barrier that reduced the financial damage from the exploit, limiting the attacker’s ability to quickly and massively convert counterfeit tokens into real assets 2 5 .

What steps does the Meta Pool team plan to restore and compensate affected users?

The Meta Pool team is planning the following key steps to recover from the incident and compensate affected users:

• Conducting a full investigation of the incident with a detailed analysis of the vulnerability, attack mechanisms and consequences. A report with the results and a plan for further action will be presented within a few days.
• Blocking the vulnerable mpETH smart contract until the investigation is fully completed to prevent the exploit from being reused.
• Develop and implement a recovery plan that includes measures to eliminate vulnerabilities and improve protocol security.
• Compensation for lost assets to users , which ensures that all those affected by the attack are compensated for their losses.

As such, Meta Pool is focused on a comprehensive approach, from technical analysis and vulnerability mitigation to financial compensation and restoring user trust. These measures are aimed at minimizing the impact of the incident and strengthening the platform’s security in the future.

What is the critical danger of the vulnerability discovered in the mpETH contract

The critical danger of the vulnerability in the mpETH contract is that it allowed an attacker to issue mpETH tokens without the corresponding collateral , i.e. create liquid tokens “out of thin air” without any real collateral in Ethereum. This violates the fundamental rule of collateralizing liquid tokens, leading to devaluation of the token itself and potentially serious financial losses for the protocol and its users.

This vulnerability is a “critical bug” because it undermines trust in the liquid staking system and opens the door to large-scale exploits. In the case of Meta Pool, it was the bypass of the liquidity check mechanism in the “quick unstake” feature that allowed the attacker to mint about 9,705 mpETH tokens without any actual collateral.

More generally, such vulnerabilities are often related to errors in smart contract logic that allow attackers to manipulate the state of the contract, such as through reentrancy attacks — when a contract is called again before the previous operation has completed, which can lead to theft of funds. While in the specific case of Meta Pool, the main issue was bypassing liquidity checks, such logic errors are considered to be among the most dangerous in the Web3 space.

Thus, the critical danger of the mpETH vulnerability lies in the possibility of illegal creation of tokens without collateral , which threatens the integrity and security of the protocol, as well as the financial interests of its users 3 1 .

What is the main danger of the reentrancy vulnerability in the mpETH contract

The main danger of the reentrancy vulnerability in the mpETH contract is that it allows an attacker to repeatedly call contract functions before the previous operation completes , which leads to incorrect accounting of balances and can lead to theft of funds.

Specifically, in this attack, the contract transfers funds to the attacker before updating its internal state (e.g. the user’s balance). The attacker, using a malicious contract, calls the withdraw function again while receiving funds, and since the balance has not yet been updated, the contract transfers funds again. This cycle can be repeated many times, allowing for the theft of much more funds than intended.

In the case of mpETH, such a vulnerability could allow an attacker to:

• Issue tokens or withdraw ETH multiple times, bypassing contract restrictions.
• Manipulate the state of a contract by causing repeated transactions before previous ones are completed, leading to accounting errors and loss of funds.

The reentrancy attack is one of the most destructive in Web3, as exemplified by the 2016 attack on The DAO, where a hacker stole millions of dollars due to a similar vulnerability.

Thus, the critical danger of the reentrancy vulnerability in mpETH is the ability of an attacker to use repeated function calls to repeatedly withdraw funds or create tokens without limitation , which compromises the security and financial integrity of the protocol 1 2 .

1. https://habr.com/ru/companies/otus/articles/887598/
2. https://www.gate.io/ru/learn/articles/the-in-depth-analysis-and-outlook-of-eth-security/6721
3. https://www.gate.com/ru/learn/articles/mev-overview-hidden-value-and-risks-in-blockchain-networks/4922
4. https://www.kucoin.com/ru/learn/crypto/what-is-megaeth-vitalik-buterin-backed-ethereum-layer-2-blockchain
5. https://habr.com/ru/companies/pt/articles/887984/
6. https://cyberleninka.ru/article/n/faktory-dohodnosti-ethereum-kak-platformy-dlya-sozdaniya-detsentralizovannyh-prilozheniy
7. https://www.okx.com/ru/learn/does-ethereum-still-have-future
8. https://anyexchange.best/development-of-layer-2-solutions-on-ethereum-perspectives-for-scale-and-efficiency/
9. https://blog.mexc.com/ru/what-is-ethereum-a-thorough-explanation-in-jp/
10. https://cryptocurrency.tech/kak-reshit-problemy-masshtabiruemosti-seti-ethereum/

1. https://habr.com/ru/companies/otus/articles/887598/
2. https://ibmm.ru/news/kriptoindustriya/chto-takoe-mev-ili-maksimal-naya-izvlekaemaya-tsennost-v-kriptovalyute/
3. https://www.investinfo.pro/view?id=126359&market=crypto&url=eksployt-kriticheskogo-meta—pula—27-millionov-dollarov-
4. https://cyberacademy.dev/blog/31-web3-security-impacts-on-blockchain-and-web-technology
5. https://habr.com/ru/companies/pt/articles/887984/
6. https://www.hx.technology/ru/blog-ru/top-3-smart-contract-audit-tools-ru
7. https://ru.tradingview.com/news/forklog:48fe7c7b967b8:0/
8. https://www.kaspersky.ru/blog/crypto-actually-cryptocurrency-politics-and-metaverse/34388/
9. https://cryptocurrency.tech/razrabotchiki-parity-ustranili-kriticheskuyu-uyazvimost/

1. https://forklog.com/news/validatory-sui-odobrili-plan-vosstanovleniya-162-mln-polzovatelej-cetus
2. https://sendpulse.ua/ru/blog/the-eisenhower-matrix
3. https://developers.meta.com/horizon/documentation/unity/ps-matchmaking-skill-queries/?locale=ru_RU
4. https://www.meta.com/ru-ru/experiences/pool-cubed/3668769916584785/
5. https://www.magnit.com/upload/iblock/40c/os0mnbbin5hbf2atg652fkoxht24ncs5/Magnit_SR2023_RUS.pdf
6. https://rosatom-academy.ru/%D0%9A%D0%B0%D1%82%D0%B0%D0%BB%D0%BE%D0%B3_2025.pdf
7. https://t.me/s/dimsmirnov175?before=88055
8. https://platformv.sbertech.ru/docs/public/PSQ/6.5.1/common/documents/administration-guide/administration-scenarios.html
9. https://nmb.abvpress.ru/jour/article/viewFile/408/283
10. https://xn--90ab5f.xn--p1ai/downloads/iriis_draft_methodology.pdf

1. https://www.gate.com/ru/learn/articles/impermanent-loss-deep-dive-mechanism-calculation-impact-and-mitigation-strategies/8147
2. https://www.block-chain24.com/news/novosti-bezopasnosti/meta-pool-podvergsya-eksploitu-na-27-mln-no-zloumyshlennik-ukral-vsego-132
3. https://www.gate.com/ru/learn/articles/dex-hyperliquid-faces-crisis/8428
4. https://docs.un.org/ru/A/79/513
5. https://fastercapital.com/ru/content/%D0%9A%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B2%D0%B0%D0%BB%D1%8E%D1%82%D0%BD%D0%B0%D1%8F-%D0%BB%D0%B8%D0%BA%D0%B2%D0%B8%D0%B4%D0%BD%D0%BE%D1%81%D1%82%D1%8C—%D1%80%D0%B0%D1%81%D0%BA%D1%80%D1%8B%D1%82%D0%B8%D0%B5-%D0%BA%D1%80%D0%B8%D0%B F%D1%82%D0%BE%D0%BB%D0%B8%D0%BA%D0%B2%D0%B8%D0%B4%D0%BD%D0%BE%D1%8 1%D1%82%D0%B8—%D1%80%D1%83%D0%BA%D0%BE%D0%B2%D0%BE%D0%B4%D1%81%D1%8 2%D0%B2%D0%BE-%D0%B4%D0%BB%D1%8F-%D0%BF%D1%80%D0%B5%D0%B4%D0%BF%D1% 80%D0%B8%D0%BD%D0%B8%D0%BC%D0%B0%D1%82%D0%B5%D0%BB%D0%B5%D0%B9.html
6. https://www.binance.com/ru/square/post/298694799658
7. https://nft.ru/article/chto-takoe-likvidnyi-steiking-v-kriptovaliute
8. https://www.cbr.ru/Collection/Collection/File/55239/ar_2024.pdf
9. https://esg-library.mgimo.ru/upload/iblock/93a/aigrx13wiikog62ux0iklpim58wvzwd4/esgintegrationinrussiamarketspracticesanddata_rus1_ibt_clean…_921024.pdf
10. http://www.cbr.ru/s/2634

1. https://www.block-chain24.com/news/novosti-bezopasnosti/meta-pool-podvergsya-eksploitu-na-27-mln-no-zloumyshlennik-ukral-vsego-132
2. https://incrypted.com/meta-pool-overturned-attack-on-27-mln-after-losing-just-about-133-000/

1. https://incrypted.com/meta-pool-overturned-attack-on-27-mln-after-losing-just-about-133-000/
2. https://podpiska.pochta.ru/storage/public/16f4168f-2e23-4005-92df-c575435f95b1/%D0%9F%D0%98463_%D0%97%D0%B0%D1%89%D0%B8%D1%82%D0%B0%20%D0%B8%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%B8.%20%D0%98%D0%BD%D1%81%D0%B0%D0%B9%D0%B4.pdf
3. https://pureportal.spbu.ru/files/131494241/Gurnalistika_2024.pdf
4. https://repository.rudn.ru/en/recordsources/downloadfile/f5a3c1c9-cf65-e911-ab47-00155d61bea3/
5. https://www.socio.msu.ru/documents/sorokinsbornik2022.pdf
6. https://www.nsu.ru/n/physics-department/uchebno-metodicheskie-posobiya/%D0%9F%D1%80%D0%BE%D0%B1%D0%BB%D0%B5%D0%BC%D1%8B%20%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D0%B8%20%D0%B2%20%D 0%B8%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D1%8B%D1%85%20%D1%82%D0%B5%D1%85% D0%BD%D0%BE%D0%BB%D0%BE%D0%B3%D0%B8%D1%8F%D1%85%201/Problemy_bezopasnosti_Dubrov_S_V_FF_NGU_2012_259s.pdf
7. http://visa.polpred.com/news/?ns=1§or=3&person_id=all&page=93
8. http://www.prk.kuzstu.ru/labs/sborniki-i-publikatsii/2024/%D0%A1%D0%B1%D0%BE%D1%80%D0%BD%D0%B8%D0%BA%20%D1%82%D1%80%D1%83%D0%B4%D0%BE%D0%B2%20%D0%9C%D0%B5%D0%B6%D0%B4%D1%83%D0%BD%D0%B0%D1%80%D0%BE%D0%B4 %D0%BD%D0%BE%D0%B9%20%D0%BD%D0%B0%D1%83%D1%87%D0%BD%D0%BE-%D0%BF%D1%80%D0%B0%D0%BA%D1%82%D0%B8%D1%87% D0%B5%D1%81%D0%BA%D0%BE%D0%B9%20%D0%BA%D0%BE%D0%BD%D1%84%D0%B5%D1%80%D0%B5%D0%BD%D1%86%D0%B8%D0%B8.pdf
9. https://polpred.ru/?ns=1&cnt=165&page=222
10. http://vestnik.buimvd.ru/nauka/urvest/1_33_21.pdf

1. https://www.block-chain24.com/news/novosti-bezopasnosti/meta-pool-podvergsya-eksploitu-na-27-mln-no-zloumyshlennik-ukral-vsego-132
2. https://spb.ranepa.ru/wp-content/uploads/2024/01/n-trud_2023_t14_v4.pdf
3. https://incrypted.com/meta-pool-overturned-attack-on-27-mln-after-losing-just-about-133-000/
4. https://publications.hse.ru/pubs/share/direct/559521978.pdf
5. https://www.coindesk.com/ru/business/2025/06/17/liquid-staking-protocol-meta-pool-suffers-usd27m-exploit
6. https://medialing.spbu.ru/upload/files/file_1673366253_0978.pdf
7. https://phemex.com/ru/news/article/hackers-steal-27-million-in-mpeth-from-meta-pool_10475
8. https://moodle.herzen.spb.ru/mod/resource/view.php?id=928217
9. https://www.moneytimes.ru/news/critical-vulnerability-exploit/65261/
10. https://korea.polpred.com/news/?sector=15&kw=113&person_id=all&page=130