Critical Bug Allows Unlimited Minting of mpETH Tokens
mpETH flaw allows free token creation — Meta Pool contract lacks minting controls, $27 million minted.
Security firm PeckShield found a critical vulnerability in Meta Pool's mpETH staking contract that allows any user to mint an unlimited number of tokens without providing any ETH as collateral. The flaw has already been exploited to create over $27 million worth of unbacked mpETH.
The vulnerability lies in the contract's mint function, which has no access controls. Any user can call this function repeatedly to generate new mpETH tokens from nothing because the contract lacks proper restrictions.
Normally, each mpETH token represents staked Ethereum held in the protocol. Users deposit ETH and receive tokens in return, maintaining a balanced ratio. Attackers could mint large amounts of mpETH and sell them on exchanges, crashing the token's price.
PeckShield's analysis found that someone already executed an unauthorized transaction to mint over 9,700 mpETH tokens, worth approximately $27 million at current prices. The attacker did not deposit any ETH but received the tokens anyway.
However, the attacker's ability to profit was severely limited by mpETH's low on-chain liquidity. Despite minting tokens worth millions, they were only able to extract approximately 10 ETH in profit before severe slippage made further swaps worthless. This highlights a gap between the theoretical value of the minted tokens and their actual exploitable value.
Also read: Crypto Exchange Hacks: The Methods Hackers Use and Self-Protection
Meta Pool launched mpETH on Ethereum about ten months ago. The protocol underwent security audits in mid-2023, but this new flaw went undetected. Users who stake ETH through Meta Pool earn rewards while keeping their tokens liquid for other activities.
Meta Pool didn’t respond to the disclosure or announce a timeline for a fix. The team also did not present any plans to compensate affected users. PeckShield warned users to avoid interacting with the mpETH contract until developers fix the vulnerability.
The incident highlights security risks in newer protocols and demonstrates why thorough smart contract auditing matters before protocols handle user funds.
Also read: What are smart contract audits and who conducts them?
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
