On June 17, 2025, Meta Pool, a liquidity staking platform on the Ethereum network, suffered an exploit that resulted in the theft of approximately 52.5 ether (ETH) from its liquidity exchange pools (approximately $132,000).
The attack, detected by security researchers and documented by the Meta Pool development team, exposed vulnerabilities in the contract for its mpETH token, used to facilitate liquid staking on Ethereum. For now, the mpETH contract will be suspended “while the investigation and necessary mitigation measures are carried out.” This means that transfers are disabled.
The exploit involved the unauthorized creation of 9,705 mpETH tokens, an asset representing ether staked on the Meta Pool platform.
According to the company's preliminary report, the attack was carried out through the mint function of the ERC-4626 standard, a protocol that defines how smart contracts manage deposited assets, such as in the case of liquid staking.
This mechanism allows users to deposit ether into a contract and receive tokens representing their stake in return, which can be traded or used in other decentralized finance (DeFi) applications without having to withdraw the original funds.
In the case of Meta Pool, the mint function, which should be protected against unauthorized access, was manipulated to generate mpETH without depositing the corresponding ether.
The Meta Pool team, in collaboration with security firm Blocksec, managed to contain the attack and ensured that the staked funds, delegated to SSV Network operators, remain intact. These operators are responsible for validating blocks on the Ethereum mainnet, generating staking rewards that benefit the platform's users.
Additionally, the company stated that “all users affected by this exploit will be fully compensated, and we will refund any assets lost due to this incident.” Ultimately, Meta Pool has promised to publish a full report ( post-mortem ) within the next 48 hours, detailing the causes of the exploit and measures to prevent future incidents.
