- Meta Pool’s Ethereum liquid staking service suffered a hack, losing 52.5 ETH ($132K) from liquidity pools on June 17.
- Attackers exploited a vulnerability in the mpETH token contract, creating 9,705 unauthorized tokens without depositing real ETH.
On June 17, 2025, Meta Pool, a platform offering liquid staking services on the Ethereum network, experienced a security breach. Attackers removed approximately 52.5 ether (ETH) from its liquidity exchange pools. This amount translates to roughly $132,000 based on current ETH valuations.
The Meta Pool development team acted to limit the damage. The breach revealed security weaknesses within the platform’s mpETH token contract. This token facilitates liquid staking on Ethereum. Consequently, Meta Pool has suspended the mpETH contract. Transfers are disabled while the investigation and necessary fixes proceed.
The attackers used the breach to create 9,705 mpETH tokens without authorization. These tokens represent staked ether held within the Meta Pool system.
Meta Pool’s initial report indicates the attackers manipulated the mint function. This function is part of the ERC-4626 protocol standard. ERC-4626 provides rules for how smart contracts handle deposited assets, common in liquid staking setups.
Normally, this function lets users deposit ether and receive tokens representing their stake. Users can then trade these tokens or use them elsewhere without unlocking their original ether. However, the problem became clear: the attackers generated mpETH tokens without depositing any real ether first. The function lacked sufficient protection against this unauthorized access.
Meta Pool, working with security firm Blocksec, contained the attack. The company confirmed that the core staked funds remain safe. These funds are delegated to operators on the SSV Network. These operators perform the actual work of validating Ethereum transactions and earning staking rewards for Meta Pool users. They were not compromised.
Furthermore, Meta Pool has stated clearly: “All users affected by this breach will be fully compensated. We will reimburse the assets lost in this incident.” This commitment addresses the direct financial loss suffered.
Finally, Meta Pool has promised transparency. The company will release a complete report within the next 48 hours. It will also outline the specific steps Meta Pool will take to prevent similar events in the future.
