A hacker has managed to make off with only around $132,000 from their recent attack on the crypto protocol Meta Pool. This was after they created $27 million worth of tokens that they could have potentially stolen from the liquidity staking platform. The large-scale attack was ultimately foiled by a combination of low liquidity and a swift pause on the exploited smart contract. The attacker was able to mint 9,705 of the liquid staking protocol’s mpETH token, worth nearly $27 million in total value. However, they only managed to steal around 52.5 Ether, worth just over $132,000 from the protocol’s liquidity swap pools.
In a post on the X platform on Tuesday, Meta Pool co-founder Claudio Cossio said the hacker exploited a “fast unstake functionality.”
This exploit allowed them to freely mint thousands of the mpETH tokens without providing the required underlying collateral for the transaction. Generally, after unstaking crypto, there is a waiting period before it becomes transferable, which provides some level of security. However, with the fast unstaking feature, this waiting period is voided, provided that certain specific conditions have been met. The blockchain security firm PeckShield posted that the staking contract contained a “critical bug,” which allowed the hacker to mint mpETH for free.
After successfully minting the mpETH tokens, the exploiter then used most of it to drain the various swap pools of 52.5 ETH.
This action affected several different Ethereum mainnet and also some of the Optimism network pools that were providing liquidity for the token. The Meta Pool team has said that an affected Optimism pool had “low liquidity and volume,” making it harder for the attack. They also stated that their “early detection systems” helped their team to quickly pause the affected smart contract, preventing further unauthorized activity. They assured users “all the Ethereum staked is safe” and delegated in the SSV Network operators, where it is accruing rewards.
A full post-mortem of this security incident is expected to be released in the next two days, along with a detailed recovery plan. In the meantime, the affected mpETH smart contract will remain paused while the official investigation into the exploit continues its work. Meta Pool has also promised to fully “reimburse the assets lost by this incident” and to ensure all affected users are “made whole.” This specific exploit adds to a growing list of cryptocurrency hacks that continue to trouble the entire digital asset and DeFi industry. For instance, Alex Protocol suffered an exploit on June 6th, with $8.3 million in losses after a bad actor used a flaw.
Reference:
