Meta Pool, a multi-chain liquid staking protocol, suffered a significant smart contract exploit that allowed an attacker to mint approximately $27 million worth of its liquid staking token, mpETH. However, due to low liquidity within the protocol's swap pools and prompt action from its team, the hacker was only able to steal about 52.5 ETH (roughly $132,000).
The exploit targeted a critical bug in the staking contract's ERC4626 mint() function, enabling unauthorized token minting. The attacker exploited a "fast unstake" functionality, bypassing the usual transfer waiting period associated with unstaking. After minting thousands of mpETH tokens, the attacker drained swap pools on Ethereum mainnet and Optimism, although low liquidity limited their gains.
Meta Pool's early detection systems enabled a quick pause of the affected smart contract, preventing additional unauthorized activity or losses. The team confirmed that all Ethereum staked through the protocol remains safe with validators on the SSV Network. A full post-mortem and recovery plan are expected imminently, and Meta Pool has committed to reimbursing affected users.
This incident is part of a broader wave of DeFi hacks in 2025, with other significant cases like a $8.3 million exploit on the Alex Protocol and a breach on Taiwan-based exchange BitoPro reported recently.