A hacker has managed to make off with solely round $132,000 from their assault on the crypto protocol Meta Pool, which created $27 million value of tokens they may have stolen. The assault was foiled by low liquidity and a pause on the exploited good contract.
The attacker was in a position to mint 9,705 of the liquid staking protocol’s token mpETH value practically $27 million, however solely managed to steal round 52.5 Ether (ETH), value simply over $132,000 from the liquidity swap swimming pools, Meta Pool mentioned in a weblog post on Tuesday.
It added that a number of the affected swimming pools had low liquidity and volumes, making it tougher for the assault to be carried out, and its “early detection techniques” helped its crew shortly pause the affected contract, stopping “additional unauthorized exercise or further losses.”
Hacker exploited “quick unstake” operate
In an X post on Tuesday, Meta Pool co-founder Claudio Cossio mentioned the hacker exploited a “quick unstake performance,” permitting them to mint 1000’s of mpETH tokens.
Usually, after unstaking crypto, there’s a ready interval earlier than it turns into transferable; nevertheless, with quick unstaking, also called flash unstaking, the ready interval is voided, supplied particular circumstances are met.
Blockchain safety agency PeckShield posted to X that the staking contract had a “important bug,” which allowed the hacker to mint mpETH at no cost, however the “low liquidity of mpETH restricted the revenue.”
The Meta Pool crew mentioned that the assault “concerned the unauthorized minting of tokens via the ERC4626 mint() operate.”
Exploiter drains swap swimming pools
After minting the mpETH, the exploiter used most of it to empty the swap swimming pools of 52.5 ETH, affecting a number of Ethereum mainnet and Optimism swimming pools.
The Meta Pool crew mentioned, nevertheless, that an affected Optimism pool had “low liquidity and quantity.”
“It must be cleared that each one the Ethereum staked is secure, delegated within the SSV Community operators which is validating blocks and accruing staking rewards on the Ethereum mainnet,” the Meta Pool crew mentioned.
A full autopsy of the incident is predicted within the subsequent two days, together with a restoration plan, in line with the Meta Pool crew. Within the meantime, the affected mpETH contract will stay paused whereas the investigation continues.
Associated: $2.1B crypto stolen in 2025 as hackers shift focus from code to users: CertiK
Meta Pool promised to “reimburse the belongings misplaced by this incident” and guarantee customers are “made complete.”
Crypto protocols hit with exploits
Alex Protocol, a Bitcoin decentralized finance platform on the Stacks blockchain, suffered an exploit on June 6, with $8.3 million in losses after a nasty actor used a flaw within the self-listing verification logic to empty liquidity from a number of asset swimming pools.
In the meantime, Taiwan-based crypto alternate BitoPro confirmed on June 2 {that a} security breach led to the loss of greater than $11.5 million in belongings from its scorching wallets on Could 8.
Journal: China to ban owning Bitcoin? Gate.io to pay $30M over liquidations: Asia Express
