Meta Pool, a DeFi protocol operating on Ethereum network, has fallen victim to a security breach resulting in an estimated loss of $130,000. The attack, detected early on June 17, 2025, involved the exploitation of a vulnerability in the ‘mint()’ function of the mpETH pool, allowing the attacker to mint mpETH tokens without depositing any actual ETH as collateral.
How the Attack Unfolded
Blockchain monitoring systems (Cyvers Alert in this case) first noticed a suspicious transaction involving the Meta Pool smart contract. Analysis revealed that the attacker used the flawed ‘mint()’ function to generate a large amount of $mpETH tokens out of thin air.
It was then noticed that these mpETH tokens were then rapidly swapped for real ETH on decentralized exchanges. This allowed the attacker to extract value directly from the reserves of the protocol.
Other than Cyvers Alerts, other security firms such as TenArmor also confirmed the details of the exploit and provided the estimated loss.
Notably, the attack also attracted the attention of MEV frontrunner Yoink, further compounding the losses. The total impact is currently estimated at $130,000, though $47,000 before the full scope was understood.
Broader implications
This incident is yet another reminder of the lingering weak spots in DeFi protocols, particularly when it comes to how tokens are minted and collateral is managed.
What happened with Meta Pool is not entirely new. There have been similar exploits like the ones seen in the Four.Meme and Rari Capital cases. In both instances, flawed smart contracts paved the way for attackers to drain six-and seven figures sums, indicating just how costly these vulnerabilities can be.
No Official Statement from Meta Pool
So far, the Meta Pool team has not released any official details about what exactly went wrong, nor have they shared any clear plans regarding the next steps, compensation, or how they will fix the entire issue.
The silence might end up pushing the team- or even the broader DeFi community towards a deeper audit of Meta pool’s smart contracts.
The breach has also reignited concerns around DeFi security. With user funds at risk, the incident could attract more attention from the regulators and force projects to rethink how they are securing their platforms.
What’s Next?
As the stolen $mpETH gets gradually swapped for ETH, blockchain investigators and security teams are keeping a close eye on where the funds are going in hopes of minimizing damage. This whole episode really drives home the need for strong security fundamentals in DeFi, comprehensive audits, live monitoring and well-tested code are not operational, they are essential.
For now, anyone using Meta Pool should stay tuned to official updates and tread carefully until there’s more transparency around the situation.
Also Read: South Korea Acquits Haru Invest CEO, Lee Hyung-Soo of Fraud Charges
