Map Protocol's MAPO Token Plunges 96% After Bridge Bug Enables 1 Quadrillion Unauthorized Mints

Map Protocol's native token, MAPO, tumbled about 96% after an attacker exploited a flaw in the Butter Network cross-chain bridge to mint a massive amount of unauthorized tokens. Blockchain security firm Blockaid said the attacker generated roughly 1 quadrillion MAPO—about 4.8 million times the legitimate supply of around 208 million—and then sold roughly 1 billion MAPO into Uniswap liquidity pools, sending the price sharply lower. Key figures - Unauthorized mint: ~1 quadrillion MAPO (≈ 4.8M× the legitimate ~208M supply) - Sold into market: ~1 billion MAPO via Uniswap pools - Proceeds realized: ~52 ETH (about $180,000) - Remaining attacker balance: close to 1 trillion MAPO, still posing risk to other pools and exchange listings - Price move: MAPO slid from about $0.003 to near $0.0001 within hours (≈96%), according to CoinGecko Blockaid attributed the incident to a Solidity smart-contract vulnerability in the Butter Bridge V3.1 OmniServiceProxy layer, not stolen keys or a failure of light-client verification. How the exploit worked Blockaid said the attacker first relayed a valid oracle multisig-signed message, then deployed a malicious contract at a specific address. The attacker subsequently resent a "retry" cross-chain message with a subtly altered payload. Because the bridge authenticated retries using keccak256(abi.encodePacked(...)) across multiple dynamicbytes fields, the concatenation created ambiguous boundaries—abi.encodePacked omits length prefixes—allowing a collision that made the manipulated retry appear authentic. The bridge accepted the message and executed an unauthorized mint. Blockaid described the issue as a classic Solidity encoding flaw rather than compromised private keys or broken cryptographic checks. Map Protocol's response Map Protocol said the problem was confined to its Solidity contract implementation and that its light client and oracle multisig were not compromised. The team has: - Paused mainnet operations and started a migration process - Said it will separately publish a new contract address and an asset snapshot schedule - Stated that tokens held by attacker-linked wallets will be excluded from future conversion events and invalidated during migration Bridges remain a prime target Cross-chain bridges have been repeatedly hit this year, with security firms pointing to a familiar pattern: forged or improperly validated messages enabling unauthorized mints or transfers. Blockaid compared the incident to other bridge failures, including the Verus bridge exploit (over $11.5 million) and the 2022 Nomad and Wormhole incidents. Recent examples also include TON-TAC's $2.68 million exploit in May (nearly 80% of assets were recovered) and security events reported by projects such as THORChain, Transit Finance, TrustedVolumes, Echo Protocol, Ekubo, and RetoSwap. About Map Protocol Map Protocol is an omnichain network designed to connect Bitcoin with ecosystems including Ethereum, BNB Chain, Tron, and Solana, supporting cross-chain transfers of Bitcoin, stablecoins, and tokenized assets. The episode highlights the systemic risks in interoperability infrastructure, where message encoding, retry logic, and validation edge cases can trigger rapid, outsized market disruptions. What to watch - The migration timeline and the announcement of the new contract address - Whether exchanges and liquidity providers delist or blacklist attacker-controlled MAPO balances - Further forensic reporting from Blockaid or independent auditors on scope and remediation