Well, butter my biscuit and call me a wizard, but it seems the MAPO token has taken a tumble so spectacular, even the Discworld’s Ankh-Morpork stock market would blush. The native token of Map Protocol has plummeted by a jaw-dropping 96% after some cheeky scoundrel exploited the Butter Network cross-chain bridge. Turns out, they didn’t just mint a few extra tokens-oh no-they conjured up a quadrillion unauthorized ones. That’s right, a quadrillion. Someone’s been reading too many spellbooks and not enough fine print.
- MAPO took a nosedive of 96% after the Butter Network bridge was tricked into minting more tokens than there are grains of sand in the Desert of Krull.
- Blockaid, the watchful gargoyle of blockchain security, reported the attacker swiped 52 ETH from Uniswap pools and is still sitting on nearly a trillion MAPO tokens. Talk about a hoard even a dragon would envy.
- TON-TAC, in a separate fiasco, has clawed back 80% of its $2.68 million heist, though it’s still paused for an audit. Because, you know, better safe than sorry-or bankrupt.
According to Blockaid, the attacker exploited a flaw in the bridge’s Solidity contract layer, minting a quadrillion MAPO tokens before dumping a billion of them into Uniswap like a troll tossing rocks into a well.
🚨 Community alert@MapProtocol / @ButterNetworkio bridge exploited on Ethereum and Bsc.
Attacker tricked Butter Bridge V3.1 (OmniServiceProxy) into minting ~1 quadrillion MAPO – about 4.8M× the legitimate ~208M supply – directly to a brand-new EOA.
More details in🧵
– Blockaid (@blockaid_) May 20, 2026
The dump drained 52 ETH, or roughly $180,000, leaving the attacker with a trillion MAPO tokens still in their grubby mitts. That’s enough to threaten liquidity pools and exchanges like a band of thieves at a market fair.
CoinGecko data showed MAPO tumbling from $0.003 to nearly $0.0001 faster than a wizard falling off a broomstick. The exploit overwhelmed the token’s legitimate supply, proving once again that magic (or code) can be a fickle mistress.
Map Protocol later confirmed the issue was in the Solidity contract, not compromised keys or light client failures. They’ve paused the mainnet and started a migration process, though the investigation is still ongoing. Because, of course, no good deed goes unpunished-or unexploited.
In a follow-up, the team promised a new contract address and asset snapshot timeline. Tokens linked to the attacker will be excluded from future conversions and invalidated during migration. So, no second chances for the token-thieving scoundrel.
Root cause via @blockaid: abi.encodePacked collision across dynamic-bytes fields in the bridge retry path.
Scope:
✓ Light client verification: unaffected
✓ Oracle multisig: not compromised
✓ MAPO token contract: unaffectedBug sits at the Solidity contract layer.…
– MAP Protocol (@MapProtocol) May 20, 2026
A Forged Retry Message and a Minting Spree
Blockaid’s analysis revealed the attacker first submitted a legitimate oracle multisig-signed message before deploying a malicious contract. They then resent a manipulated “retry” message, tricking the bridge into minting unauthorized tokens. Classic Solidity shenanigans, really.
The exploit wasn’t about stolen keys or broken cryptography-just a “classic Solidity vulnerability involving multiple dynamic fields.” Because, as we all know, the devil’s in the details… and the code.
🔎 Suspected root cause – TL;DR
The bridge authenticates cross-chain message retries with keccak256(abi.encodePacked(…)) over four consecutive dynamic-bytes fields (initiator, from, to, swapData). abi.encodePacked has no length prefixes, so the field boundaries aren’t encoded…
– Blockaid (@blockaid_) May 20, 2026
Cross-chain bridge exploits have been popping up like weeds in a poorly tended garden. Earlier, the Verus Protocol Ethereum bridge lost $11.5 million to forged transfer instructions. Blockaid compared it to the 2022 Nomad Bridge and Wormhole exploits, where fake payloads tricked protocols into releasing funds. ExVul and GoPlus Security chimed in, blaming validation failures and access control weaknesses. It’s like everyone forgot to lock their doors.
TON-TAC Recovers 80% of Stolen Assets
Meanwhile, TON-TAC, a bridge for The Open Network, published a post-mortem on its $2.68 million exploit from May 11. The culprit? Missing validation checks in the sequencer software, allowing a counterfeit TON wallet to mint unauthorized tokens. They’ve recovered 80% of the assets, but the bridge remains paused for an audit. Better late than never, I suppose.
Map Protocol, for the uninitiated, is an omnichain network connecting Bitcoin with Ethereum, BNB Chain, Tron, and Solana. It’s like a magical portal for cross-chain asset transfers-when it’s not being exploited, that is.
Attacks on interoperability infrastructure have been on the rise, with protocols like THORChain, Transit Finance, and RetoSwap also reporting incidents. It’s enough to make a wizard consider retiring to a quiet cottage in the Ramtops.
Read More
- Total Football free codes and how to redeem them (March 2026)
- Farming Simulator 26 arrives May 19, 2026 with immersive farming and new challenges on mobile and Switch
- First Look at Bad Bunny’s Exclusive Zara x Benito Antonio Collection
- Last Furry: Survival redeem codes and how to use them (April 2026)
- Clash of Clans May 2026: List of Weekly Events, Challenges, and Rewards
- PUBG Mobile x Harley-Davidson Partnership to introduce new Motor Cruise event with rewards and Skins
- Honor of Kings x Attack on Titan Collab Skins: All Skins, Price, and Availability
- Honor of Kings April 2026 Free Skins Event: How to Get Legend and Rare Skins for Free
- ALLfiring Companion Tier List
- Clash of Clans “Clash vs Skeleton” Event for May 2026: Details, How to Progress, Rewards and more
2026-05-21 11:04