A critical exploit tied to Map Protocol’s cross-chain infrastructure erased most of the value of its native token MAPO within hours, after an attacker minted an enormous volume of unauthorized tokens and injected them into public liquidity pools.
CoinGecko data shows the token fell from about $0.003 to nearly $0.0001 in a single trading window, a decline of roughly 96%. The drop followed what blockchain security firm Blockaid described as a supply shock that overwhelmed the token’s existing market structure.
🚨 Community alert@MapProtocol / @ButterNetworkio bridge exploited on Ethereum and Bsc.
— Blockaid (@blockaid_) May 20, 2026
Attacker tricked Butter Bridge V3.1 (OmniServiceProxy) into minting ~1 quadrillion MAPO — about 4.8M× the legitimate ~208M supply — directly to a brand-new EOA.
More details in🧵
The incident did not rely on stolen private keys or compromised custody systems. Instead, it exposed a flaw in the contract logic that governs cross-chain message validation.
Unauthorized mint overwhelms supply
Blockaid reported that the attacker created approximately one quadrillion MAPO tokens through the Butter Network bridge layer. That figure dwarfed the project’s legitimate circulating supply, which stood in the hundreds of millions.
The attacker then transferred roughly 1 billion of those tokens into Uniswap liquidity pools. The move extracted about 52 ETH from those pools, valued between roughly $110,000 and $180,000 based on price ranges cited across disclosures.
The scale of the mint left most of the newly created tokens without viable liquidity. Even so, the partial liquidation triggered immediate price collapse. CoinGecko data confirms that the token’s market value compressed within hours as buyers failed to absorb the sudden increase in supply.
Exploit traced to bridge retry logic
Technical analysis from Blockaid points to a vulnerability in the Solidity contract layer that handles retry messages in the bridge system. The exploit did not originate from failures in Map Protocol’s light client infrastructure or key management systems.
According to the firm, the attacker first submitted a legitimate oracle multisig-signed message. After that, a malicious contract appeared at a targeted address. The attacker then resent what appeared to be an identical retry message, but with a modified payload.
The bridge accepted the manipulated message as valid. That validation triggered the unauthorized mint and released the tokens into circulation.
Blockaid attributed the issue to an abi.encodePacked collision involving multiple dynamic byte fields. The flaw allowed a forged retry request to pass verification after a legitimate message had already been processed.
🔎 Suspected root cause - TL;DR
— Blockaid (@blockaid_) May 20, 2026
The bridge authenticates cross-chain message retries with keccak256(abi.encodePacked(...)) over four consecutive dynamic-bytes fields (initiator, from, to, swapData). abi.encodePacked has no length prefixes, so the field boundaries aren't encoded… https://t.co/7Gzs480OOX
Project response focuses on containment
Map Protocol confirmed that the vulnerability sits within the Solidity contract implementation. The team stated that the issue did not stem from compromised keys or a breakdown in its light client system.
Root cause via @blockaid: abi.encodePacked collision across dynamic-bytes fields in the bridge retry path.
— MAP Protocol (@MapProtocol) May 20, 2026
Scope:
✓ Light client verification: unaffected
✓ Oracle multisig: not compromised
✓ MAPO token contract: unaffected
Bug sits at the Solidity contract layer.… https://t.co/PfJZmmnu8n
The protocol paused its mainnet after the exploit and began a migration process. The team said a new contract address and asset snapshot timeline will follow in a separate announcement.
In its statement, the project outlined a key step for recovery.
“Any remaining tokens held by attacker-controlled addresses will be fully invalidated and will not be included in any future snapshot or conversion process.”
That approach aims to isolate the inflated supply introduced during the exploit. In cases where unauthorized mint occurs, containment depends on both technical fixes and supply reconciliation.
Remaining supply creates ongoing risk
A large portion of the minted tokens remains under attacker control. Estimates suggest that close to a trillion MAPO tokens still sit outside the initial Uniswap dump.
This overhang introduces continued uncertainty for any potential recovery. If those tokens reach tradable venues, they could place additional pressure on liquidity pools and secondary markets.
The initial extraction of 52 ETH appears modest compared with the broader damage. The incident shows how a relatively small direct gain can coincide with large-scale destruction of market value when token supply integrity breaks down.
Cross-chain bridges face renewed scrutiny
The exploit adds to a series of recent incidents that target cross-chain infrastructure. Map Protocol operates as an omnichain network that connects Bitcoin with ecosystems such as Ethereum, BNB Chain, Tron and Solana. That design increases utility but also expands the attack surface.
Bridge systems rely on message validation across chains. Each additional connection introduces complexity in how transactions are verified and executed. Failures in these layers can lead to outcomes that differ from traditional smart contract exploits.
Ethereum co-founder Vitalik Buterin warned in 2022 that cross-chain bridges carry structural security limitations compared with single-chain systems. The MAPO incident reflects those concerns through a contract-level flaw rather than a cryptographic failure.
Other recent cases reinforce the pattern. The Verus Protocol Ethereum bridge lost more than $11.5 million after an exploit tied to forged cross-chain transfer instructions. TON-TAC, a bridge linked to The Open Network, reported a $2.68 million exploit and later said it recovered about 80% of affected assets, though operations remain paused pending audit.
On May, 11th a security incident affected TON-TAC asset bridge. Over the past few days, TAC team has been engaged in post incident efforts, which, four days after, have resulted in the return of approximately 80% of the affected assets.
— TAC (🫰,✨️) (@TacBuild) May 20, 2026
Today, we are publishing the official…
Market impact extends beyond immediate losses
For MAPO holders, the collapse represents a near-total loss of market confidence. The token’s market capitalization fell below $1 million after the event, based on reported figures.
The incident highlights a specific risk tied to bridge-based token systems. Unauthorized mint events do not only remove funds; they distort circulating supply and undermine price formation.
Recovery now depends on execution of the migration plan, exclusion of attacker-linked balances, and restoration of trust in the protocol’s infrastructure. Until those steps conclude, the presence of excess tokens remains a ceiling on price stability.
Kristian Koch
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.
