An exploit on the Ethereum-based staking protocol Meta Pool on Tuesday could have resulted in a $27 million heist, but the attacker walked away with only $132,000 worth of Ether (ETH), thanks to low liquidity and swift action by the protocol’s team. According to a blog post by Meta Pool, the attacker exploited the “fast unstake functionality” to mint 9,705 mpETH tokens — the platform’s liquid staking token — valued at nearly $27 million. However, due to limited liquidity in the swap pools and Meta Pool’s prompt contract pause, the hacker managed to convert only a fraction of the minted tokens into 52.5 ETH, worth just over $132,000. Meta Pool’s early detection systems flagged the suspicious activity, allowing the team to freeze the exploited smart contract and prevent further loss. Co-founder Claudio Cossio stated on X that the fast unstaking feature, which skips the standard waiting period after unstaking, was key to the exploit. This mechanism can offer users faster access to funds but can pose security risks if not carefully implemented. Bug in Mint Function Blockchain security firm PeckShield confirmed that the vulnerability stemmed from a critical bug in the staking contract’s ERC4626 mint() function. This flaw enabled the attacker to mint mpETH tokens without any cost. However, because mpETH is a relatively illiquid token, the hacker’s ability to convert the tokens into ETH was significantly hindered. The attacker primarily targeted liquidity pools on Ethereum mainnet and Optimism, draining 52.5 ETH in total. One of the affected pools on Optimism had particularly low volume and liquidity, which helped contain the damage. In its statement, Meta Pool reassured users that all staked Ethereum remains secure, as it is delegated through the SSV Network and continues to accrue staking rewards. The team has paused the affected mpETH contract and plans to publish a full post-mortem within the next 48 hours, along with a recovery plan. Exploit Cases Rise Across Crypto Platforms Meta Pool joins a growing list of DeFi platforms exploit cases this month. On June 6, Bitcoin-based DeFi platform Alex Protocol lost $8.3 million due to a self-listing flaw, while Taiwan-based exchange BitoPro reported a $11.5 million hot wallet breach from May 8. Despite the failed theft attempt, the Meta Pool incident underscores the growing need for rigorous security auditing in DeFi platforms , especially as protocols race to offer faster user functionality without compromising safety. The post Meta Pool Faces Exploit But Hacker Escapes With Only $132K appeared first on TheCoinrise.com .
