According to the platform’s statement, a vulnerability in the “fast unstake” functionality—designed to allow users to withdraw staking assets instantly without the usual waiting period—enabled the attacker to illegitimately mint millions in mpETH tokens. Meta Pool’s early-warning systems promptly flagged the attack, leading the team to suspend the compromised smart contract and prevent further unauthorized activity.

Co-founder Claudio Cossio explained: “The hacker exploited the fast withdrawal feature to mint thousands of mpETH tokens for free. However, our response time and the generally low liquidity of our pools greatly limited the attack’s success.”

Blockchain security firm PeckShield confirmed the incident, highlighting the critical bug in the staking smart contract. After minting the tokens, the hacker attempted to swap them for Ethereum using liquidity pools on both Ethereum and Optimism, but managed to exit with only 52.5 ETH due to the shallow liquidity available.

Meta Pool emphasized that all staked ETH remains secure and continues to be delegated to SSV Network operators for block validation and rewards generation. The team has committed to reimbursing all users affected by the incident.

Meta Pool mitigates $27M hack, limiting losses and ensuring user compensation

This incident is part of a broader wave of attacks targeting DeFi protocols in 2025. Earlier, Taiwan-based exchange BitoPro confirmed a loss of over $11.5 million following a hot wallet breach on May 8. On June 6, Alex Protocol on Stacks blockchain suffered an $8.3 million exploit due to a flaw in its self-listing asset mechanism.