Key Takeaways
- An attacker leveraged a vulnerability in the Butter Network bridge to create 1 quadrillion MAPO tokens out of thin air
- The token’s value plummeted 96%, collapsing from $0.003 to $0.0001 in mere hours
- Approximately 1 billion tokens were liquidated by the exploiter, extracting roughly 52 ETH (around $180,000) from Uniswap liquidity
- Map Protocol has halted mainnet operations and is transitioning to a new smart contract
- Another bridge attack targeting TON-TAC resulted in $2.68 million losses on May 11, highlighting ongoing cross-chain vulnerabilities
On Wednesday, a malicious actor successfully exploited the Butter Network’s cross-chain bridge infrastructure, minting an astronomical one quadrillion MAPO tokens — approximately 100,000 times the token’s entire circulating supply. The devastating attack triggered a 96% price collapse within hours.
MAP Protocol’s native cryptocurrency, MAPO, experienced a freefall from approximately $0.003 down to $0.0001. The project’s market capitalization plunged beneath the $1 million threshold, effectively eliminating nearly all investor holdings.
The perpetrator utilized a newly created externally-owned account to execute the sophisticated attack. Their methodology involved initially transmitting an authentic oracle-signed transaction, followed by resubmitting an altered version that maintained an identical hash signature while containing fraudulent data. The bridge’s verification mechanism accepted it as legitimate and processed the enormous token creation.
No private cryptographic keys were compromised during the incident. Blockchain security firm Blockaid identified this as a textbook Solidity smart contract vulnerability related to handling multiple dynamic fields.
The hacker proceeded to liquidate approximately one billion of the fraudulently minted tokens through Uniswap liquidity pools, siphoning off about 52 ETH valued at roughly $180,000. The vast majority of minted tokens — nearly a trillion — remain stored in wallets controlled by the attacker, posing an ongoing threat to remaining liquidity pools.
Official Response from Map Protocol
Map Protocol identified the vulnerability as existing within the Solidity contract implementation layer. The development team has suspended mainnet operations and initiated a migration process to deploy a new smart contract.
The project has committed to revealing a new contract address and performing a comprehensive asset snapshot. All tokens residing in attacker-controlled addresses will be completely invalidated and omitted from the snapshot process.
The Butter Network simultaneously suspended its ButterSwap platform. Officials assured stakeholders that user deposits remained secure throughout the incident.
Escalating Cross-Chain Bridge Vulnerabilities
This incident represents just one data point in a concerning trend. A minimum of 18 decentralized finance and blockchain platforms have suffered security breaches this month, including THORChain, Verus Protocol’s Ethereum bridge, Transit Finance, and Ekubo.
A distinct attack compromised the TON-TAC bridge on May 11. That exploitation generated $2.68 million in damages and originated from inadequate validation within the sequencer software. While approximately 80% of compromised assets were ultimately recovered, the bridge infrastructure remains offline.
Cross-chain bridge technology necessitates transaction validation across disparate blockchain networks, inherently creating extensive attack vectors. Ethereum co-founder Vitalik Buterin highlighted this fundamental weakness in 2022, contending that bridges possess structurally inferior security compared to the individual blockchains they interconnect.
Map Protocol functions as an omnichain infrastructure layer bridging Bitcoin, Ethereum, BNB Chain, Tron, and Solana — indicating that its bridge architecture incorporates substantial complexity and vulnerability exposure.
For current MAPO token holders, the recovery path remains challenging. Even assuming successful migration implementation by the development team, the existence of trillions of illegitimately created tokens establishes a significant barrier to meaningful price recovery.
The attacker ultimately extracted approximately $180,000 — a comparatively modest financial gain for an exploit that fundamentally destroyed a cryptocurrency’s market valuation and revealed critical weaknesses in cross-chain bridge security architecture.
