On June 17, 2025, Meta Pool was exploited through a vulnerability in the mpETH contract on the Ethereum network, resulting in the loss of approximately 56.35 ETH from our liquidity pools. Let's take a closer look at how the attack was carried out.

Original Attacker : https://etherscan.io/address/0x48f1d0f5831eb6e544f8cbde777b527b87a1be98

Vulnerable Contract : https://etherscan.io/address/0x3747484567119592ff6841df399cf679955a111a

Attack Tx : https://etherscan.io/tx/0x57ee419a001d85085478d04dd2a73daa91175b1d7c11d8a8fb5622c56fd1fa69

https://etherscan.io/tx/0x4858abc51876e1de9f506f34799d4f1852b4255f467b9e1f40951c631ddfa747

https://etherscan.io/tx/0x691c8070749f00a5a5be3135d3912ff97d0dad05a0fb2b77b235aaa13260f002

https://etherscan.io/tx/0x4f43fc6d674e85f7d306debb4a3d48e7688c2fe5a6332dd9ad57558a15c86ef9

Attack flow

Meta Pool enables users to stake ETH or WETH and receive mpETH tokens in return. Users can either redeem their mpETH instantly or opt for delayed redemption. Additionally, they can provide ETH or WETH as liquidity to facilitate instant redemptions.

The Staking contract inherits from ERC4626, handling staking operations, mpETH issuance, and redemption requests. The LiquidUnstakePool facilitates instant mpETH-to-ETH swaps with a fee and accepts ETH/WETH liquidity, which it either converts gradually to mpETH or uses to create new validators. The Withdrawal contract oversees delayed redemptions, distributing ETH after a single epoch (approximately one week).

However, a critical security vulnerability has been identified in Meta Pool. The Staking contract, which inherits from ERC4626, contains a public minting function that directly calls the internal _deposit() method.

The _deposit() function handles the process of accepting ETH (or WETH) deposits and issuing mpETH shares in return. It first checks that the deposit amount meets the minimum requirement. Then, it attempts to fulfill part of the requested shares by swapping ETH for mpETH from the internal liquidity pool (_getmpETHFromPool). Any remaining shares are minted directly if needed.

The vulnerability happens because the protocol did not override or restrict the minting function. Because mint() internally calls _deposit() without verifying an ETH value transfer, a malicious actor was able to mint arbitrary amounts of mpETH without supplying ETH. In addition, if there is any mpETH in the pool, the contract will attempt to swap attached ETH for mpETH.

However, since mint() is not payable and the contract does not hold ETH , such a swap would fail. The attacker can empty the pool in advance to ensure the swap is skipped during minting.

The attacker first used flash loan and deposited a certain amount of ETH using the depositETH() function. This action was designed to drain all available mpETH from the internal liquidity pool (liquidUnstakePool), effectively emptying it. By doing so, the attacker ensured that the _getmpETHFromPool mechanism would be bypassed during subsequent calls to the mint() function.

The attacker then directly called the mint() function, minting a large amount of mpETH without providing any ETH. This exploitation was possible because the inherited ERC4626 mint() function lacked proper overrides or restrictions.

Finally, the attacker swapped a portion of the minted mpETH for ETH, repaid the flash loan,...

Conclusion

The exploit was made possible due to the missing override or access control on the inherited ERC4626 mint() function. This oversight allowed the attacker to directly call mint() and receive a large amount of mpETH without providing any ETH. Because mint() internally called _deposit() without any transfer checking, the attacker bypassed validation logic and asset checks. Without proper restrictions or overriding of inherited functions, the contract exposed a critical vulnerability, ultimately leading to unauthorized minting and financial loss. This highlights the importance of carefully reviewing inherited behavior and enforcing strict access controls on sensitive functions in upgradeable or extensible smart contract systems.