Map Protocol Token Plummets Amid Massive Exploit

Key Takeaways

A vulnerability in the Butter Network cross-chain bridge allowed an attacker to mint a quadrillion MAPO tokens, destroying the token’s value.

The unauthorized minting significantly inflated the supply, causing a 96% price drop in just a few hours.

The Map Protocol team has paused its network and is planning a migration to a new contract to recover from the breach.

Technical Failure Leads to Massive Inflation

A security breach involving the Butter Network cross-chain bridge resulted in a near-total loss of value for the MAPO token. The attacker successfully executed a malicious contract deployment that tricked the bridge into validating fake transaction data.

🚨 Community alert@MapProtocol / @ButterNetworkio bridge exploited on Ethereum and Bsc.

Attacker tricked Butter Bridge V3.1 (OmniServiceProxy) into minting ~1 quadrillion MAPO — about 4.8M× the legitimate ~208M supply — directly to a brand-new EOA.

More details in🧵

— Blockaid (@blockaid_) May 20, 2026

This allowed the attacker to mint a quadrillion tokens, a volume thousands of times greater than the intended total supply. This massive influx of tokens flooded decentralized exchanges, enabling the attacker to drain liquidity pools of ETH before the project could take evasive action. The incident has left the token trading at a tiny fraction of its original price.

Root cause via @blockaid: abi.encodePacked collision across dynamic-bytes fields in the bridge retry path.

Scope:
✓ Light client verification: unaffected
✓ Oracle multisig: not compromised
✓ MAPO token contract: unaffected

Bug sits at the Solidity contract layer.… https://t.co/PfJZmmnu8n

— MAP Protocol (@MapProtocol) May 20, 2026

Security Measures and Network Recovery

MAP Protocol has suspended the conversion service between MAPO tokens on the original ERC20 contract address 0x66d79b8f60ec93bfce0b56f5ac14a2714e509a99 across the BSC and Ethereum networks and MAPO on the MAP Protocol mainnet. All relevant exchanges have also been notified to…

— MAP Protocol (@MapProtocol) May 21, 2026

In response, the project leadership has paused all mainnet activity to investigate the Solidity contract vulnerability that enabled the exploit. The team clarified that while the liquidity pools were drained, they are working on a recovery plan that involves a token snapshot and a transition to a brand-new contract address.

🔎 Suspected root cause – TL;DR

The bridge authenticates cross-chain message retries with keccak256(abi.encodePacked(…)) over four consecutive dynamic-bytes fields (initiator, from, to, swapData). abi.encodePacked has no length prefixes, so the field boundaries aren’t encoded… https://t.co/7Gzs480OOX

— Blockaid (@blockaid_) May 20, 2026

Any tokens currently held in the hacker’s possession will be excluded from the new asset distribution. This attack joins a growing list of bridge compromises in May, highlighting a critical need for more robust validation processes in cross-chain communication.

On May, 11th a security incident affected TON-TAC asset bridge. Over the past few days, TAC team has been engaged in post incident efforts, which, four days after, have resulted in the return of approximately 80% of the affected assets.

Today, we are publishing the official…

— TAC (🫰,✨️) (@TacBuild) May 20, 2026

Final Thoughts

The Map Protocol incident serves as a critical warning regarding the complexity of cross-chain bridges. Standard Solidity practices must be bolstered to prevent these types of catastrophic minting vulnerabilities.

Frequently Asked Questions

How did the attacker mint so many tokens?
They exploited a validation flaw in the cross-chain bridge to create fake transaction hashes.

What is the current status of MAPO?
The protocol has paused the mainnet, and the team is preparing a migration to a new token contract.

Are user funds safe?
Most liquidity was drained from pools during the attack, but the team aims to invalidate the hacker’s supply in the upcoming migration.

Source link