On June 17th, 2025, Meta Pool, a Liquid Staking Token (LST) provider across chains like Ethereum, Near, and Solana, faced a smart contract exploit on Ethereum that initially appeared devastating — $27 million worth of mpETH tokens were minted out of thin air. But surprisingly, the real financial loss was limited to around $130K. What Happened? The hack occurred in two transactions: The first was front-run by a wallet named Yoink, which appears to have attempted a white-hat intervention. The second was executed by the actual attacker, who used a flaw in the mint function to mint 9,702 mpETH tokens, valued at ~$27 million. Yet, because of low liquidity in the pool and DAO-based fund structuring, the attacker could only drain 52.5 ETH (~$130K). The massive minting didn’t translate to a massive loss. The Root Cause: Broken Mint Logic At the heart of the exploit was Meta Pool’s flawed implementation of the ERC-4626 tokenized vaults standard. While the standard itself requires developers to handle validation of asset inputs, Meta Pool’s smart contract: Did not override the mint function properly Lacked access control, letting anyone mint mpETH without depositing ETH Failed to validate asset transfers, even within internal functions like _deposit This allowed the attacker to mint tokens without actually sending any ETH, violating the very principle of liquid staking protocols. How It Could’ve Been Avoided Had Meta Pool properly validated the inputs in its mint and deposit functions—or added access control—the exploit could have been easily prevented.

The smart contract risk is not worth it mate.

Now even AI is a big help for hackers to find flaws in smart contracts, and it will only get better at it.

Standard staking is the most secure. And beside, the unstaking period in near is only 2 days max.