How $27M in Stolen Tokens Led to Just $130K in Losses [The Meta Pool Hack]

On June 17th, 2025, Meta Pool, a Liquid Staking Token (LST) provider across chains like Ethereum, Near, and Solana, faced a smart contract exploit on Ethereum that initially appeared devastating — $27 million worth of mpETH tokens were minted out of thin air. But surprisingly, the real financial loss was limited to around $130K.

What Happened?

The hack occurred in two transactions:

• The first was front-run by a wallet named Yoink, which appears to have attempted a white-hat intervention.
• The second was executed by the actual attacker, who used a flaw in the mint function to mint 9,702 mpETH tokens, valued at ~$27 million.

Yet, because of low liquidity in the pool and DAO-based fund structuring, the attacker could only drain 52.5 ETH (~$130K). The massive minting didn’t translate to a massive loss.

The Root Cause: Broken Mint Logic

At the heart of the exploit was Meta Pool’s flawed implementation of the ERC-4626 tokenized vaults standard. While the standard itself requires developers to handle validation of asset inputs, Meta Pool’s smart contract:

• Did not override the mint function properly
• Lacked access control, letting anyone mint mpETH without depositing ETH
• Failed to validate asset transfers, even within internal functions like _deposit

This allowed the attacker to mint tokens without actually sending any ETH, violating the very principle of liquid staking protocols.

How It Could’ve Been Avoided

Had Meta Pool properly validated the inputs in its mint and deposit functions—or added access control—the exploit could have been easily prevented.

Our in-house security tool, QuillShield, flagged this vulnerability during a test of Meta Pool’s ERC-4626 contracts. This reinforces the importance of automated testing tools in identifying such critical oversights before attackers do.

Want the Full Breakdown?

This is just a snapshot of what happened.

To explore the complete technical breakdown, attack flow, vulnerable contract code, involved wallet addresses, and fund movement, read our detailed blog on Meta Pool hack.

A Reminder to Web3 Builders

Implementing token standards isn’t just plug-and-play. Smart contract developers must understand the risks tied to each function they inherit or expose. As adoption of standards like ERC-4626 grows, so does the need for in-depth validation and security auditing.