Boom! Meta Pool Exploited: Hackers Mint $27M in Tokens, Drain $133K

Holy crypto heist, Batman! Liquidity staking protocol Meta Pool just got slammed with a contract exploit, leading to unauthorized token minting and a cool $133,000 in losses. The hackers struck fast, but Meta Pool fought back even faster.

Quick Thinking Saves the Day

According to a June 17 blog post, Meta Pool managed to contain the damage before it spiraled out of control. They caught the attack early, thanks to their "early detection systems" and a helping hand from blockchain security pros at Blocksec. These heroes helped Meta Pool pause the mpETH contract, putting a stop to any more unauthorized shenanigans.

The Meta Pool team pointed the finger at a vulnerability in the ERC4626 mint() function of their mpETH contract. Ouch!

Fast Unstaking: The Culprit?

In a separate X post, Meta Pool co-founder Claudio Cossio hinted that the attacker might have used the protocol's fast unstaking feature to skip the usual unbonding period and mint mpETH without dropping any collateral. Sneaky!

The attackers managed to mint a whopping 9,705 mpETH tokens, worth nearly $27 million. But here's the twist: due to low liquidity in the affected pools, they could only convert those tokens into 52.5 ETH, valued at about $133,000 at today's prices.

The stolen funds were siphoned from swap pools across the Ethereum mainnet and Layer 2 networks, including Optimism. The Uniswap pool alone coughed up 37.5 ETH in losses, and get this: most of that liquidity was provided by the Meta Pool DAO itself. Talk about a double whammy!

What's Next for Meta Pool?

Meta Pool promises a full post-mortem and recovery plan within 48 hours, and they've vowed to make affected users whole again. The good news? The 913 ETH initially staked through the mpETH contract is still safe and sound with SSV Network operators. Plus, Meta Pool's staking contracts on NEAR, Solana, Aurora, Internet Computer, Q, and Story are all still standing strong.

This exploit marks the second major DeFi attack this month. On June 6, Bitcoin-based platform Alex Protocol got hit with an $8.3 million breach after a vulnerability in its self-listing verification logic let an attacker drain multiple asset pools. Alex Protocol has since launched a Treasury Grant Program to reimburse affected users with a mix of original tokens and USDC.

The crypto world is on fire, and these attacks are a stark reminder to stay vigilant. Meta Pool, we're watching you!