How $27M Stolen Tokens Led to $130K in Losses [Meta Pool Hack]

Meta Pool, an LST provider on multiple blockchains including Near, Ethereum, Solana, and more, got exploited on June 17th, 2025, leading to the loss of ~130k on the Ethereum blockchain.

The attack happened in two transactions, the former was led by a frontrunner who front-run the attacker, and the latter was done by an individual attacker. The analysis covers the hack details, how it happened, the attack flow, and the funds lost.

Hack Analysis and Its Impact

Meta Pool got hacked in two transactions, the loss in the first one was about 37.51 WETH, and the other lost about 15 ETH, taking the loss to 52.5 ETH (~130k). The first attack was front-run by a frontrunner, Yoink (seems to be a white hack attempt), and the other led to the minting of 9702 mpETH (~27m). Since the liquidity in the pool was low, the impact of the attack was contained and didn’t lead to major losses for users’ funds. Majority of the funds in this liquidity pool was driven by DAO.

The root cause of both these attacks stems from an issue in the mint function of the protocol, which led the attacker to mint a huge amount of mpETH tokens. In Liquid Staking Protocols, one can only mint a token in their wallet when they deposit tokens like ETH or WETH.

The protocol inherits the ERC-4626 tokenized vaults contract. They don’t override the mint function properly, and there was no access control on this function, so anyone could mint mpETH without actually depositing ETH first. The only check the function makes is that the amount of shares ≤ maxMint

Though in the actual ERC-4626 implementation, all the above-mentioned functions are public, the protocol failed to design it according to their requirements. Look how the public deposit and mint functions don’t validate the assets input.

mint function in the contract

deposit function in the contract

The above internal function _deposit, which is called by the deposit and mint functions, also doesn’t validate the asset transfer.

It is important to note that the original implementation of ERC-4626 doesn’t automatically pull assets from users, and it is up to the protocol to implement the logic to handle or verify asset transfer. We have also written a special guide for this ERC because it is getting adopted by many protocols. Check it out here.

QuillShield, our product to test out smart contracts and catch the bugs at a faster rate, caught this issue while testing Meta Pool ERC-4626 contracts:

Check out the full report from QuillShield here.

Relevant Addresses and Transactions

Meta Pool mpETH token: 0x48AFbBd342F64EF8a9Ab1C143719b63C2AD81710

Yoink (Frontrunner): 0xFDe0d1575Ed8E06FBf36256bcdfA1F359281455A

Attack Transaction 1: https://etherscan.io/tx/0x4f43fc6d674e85f7d306debb4a3d48e7688c2fe5a6332dd9ad57558a15c86ef9

Attack Transaction 2: https://etherscan.io/tx/0x57ee419a001d85085478d04dd2a73daa91175b1d7c11d8a8fb5622c56fd1fa69

Attacker Address: 0x48f1d0F5831Eb6e544f8cBDe777b527b87a1BE98 (still holds 4144 mpETH tokens)

Attacker Address 2: 0x45DD46C45FE6681168927A261842ABb55a8B910a
 

Fund Flow Post Attack

The attack exploited two pools mpETH ↔ WETH pool (0xCf0e3aB3BC3b4a64f2d169DecEA24bC17B038278) and the unstake pool on Ethereum (0xdF261F967E87B2aa44e18a22f4aCE5d7f74f03Cc).

All the attacker's funds were sent to their other wallet 0x45DD46C45FE6681168927A261842ABb55a8B910a and currently holds ~15ETH.

Yoink Attacked funds are stored at their contract at 0x80BF7Db69556D9521c03461978B8fC731DBBD4e4
 

How the Hack Could Have Been Prevented?

This hack could’ve been easily avoided if the team had taken the right measures in the functionality of the mint function. The mint function was left public without any access control or validation checks, which led to this loss.

It is important when you are using standards like ERC-4626 tokenized vaults to validate the incoming assets or shares.
 

Conclusion

Meta Pool, an LST platform, got exploited for 52.5 ETH due to issues in the mint function. The mint function lacks validation of assets and lets users mint tokens arbitrarily.

At QuillAudits, we follow a multi-layered auditing process attested by our years of experience in auditing projects. We audit code that is built to last.