A hacker has managed to make off with only around $132,000 from their attack on the crypto protocol Meta Pool, which created $27 million worth of tokens they could have stolen. The attack was foiled by low liquidity and a pause on the exploited smart contract.

The attacker was able to mint 9,705 of the liquid staking protocol’s token mpETH worth nearly $27 million, but only managed to steal around 52.5 Ether (ETH), worth just over $132,000 from the liquidity swap pools, Meta Pool said in a blog post on Tuesday. 

It added that some of the affected pools had low liquidity and volumes, making it harder for the attack to be carried out, and its “early detection systems” helped its team quickly pause the affected contract, preventing “further unauthorized activity or additional losses.”

Hacker exploited “fast unstake” function

In an X post on Tuesday, Meta Pool co-founder Claudio Cossio said the hacker exploited a “fast unstake functionality,” allowing them to mint thousands of mpETH tokens.

Generally, after unstaking crypto, there is a waiting period before it becomes transferable; however, with fast unstaking, also known as flash unstaking, the waiting period is voided, provided specific conditions are met.

Blockchain security firm PeckShield posted to X that the staking contract had a “critical bug,” which allowed the hacker to mint mpETH for free, but the “low liquidity of mpETH limited the profit.”

The Meta Pool team said that the attack “involved the unauthorized minting of tokens through the ERC4626 mint() function.”

Exploiter drains swap pools 

After minting the mpETH, the exploiter used most of it to drain the swap pools of 52.5 ETH, affecting several Ethereum mainnet and Optimism pools. 

The Meta Pool team said, however, that an affected Optimism pool had “low liquidity and volume.”