Key Takeaways
- An attacker leveraged a vulnerability in the Butter Network cross-chain bridge to create 1 quadrillion MAPO tokens
- The token’s value plummeted 96%, collapsing from $0.003 to $0.0001 in just hours
- Approximately 1 billion minted tokens were liquidated, extracting roughly 52 ETH (approximately $180,000) from Uniswap liquidity pools
- Map Protocol has halted mainnet operations and is transitioning to a new smart contract address
- Another bridge vulnerability on TON-TAC resulted in $2.68 million losses on May 11, highlighting ongoing bridge security issues
On Wednesday, a malicious actor compromised the Butter Network cross-chain bridge infrastructure and generated one quadrillion MAPO tokens — approximately 100,000 times greater than the token’s legitimate circulating supply. The devastating breach triggered a 96% price collapse within hours.
MAP Protocol’s native token MAPO tumbled from approximately $0.003 down to $0.0001. The market capitalization plunged below the $1 million threshold, essentially eliminating virtually all investor holdings value.
The perpetrator utilized a newly created externally-owned account to execute the breach. Their methodology involved initially transmitting an authentic oracle-signed transaction, followed by resubmitting an altered version that maintained an identical hash signature while containing fraudulent data. The bridge’s validation system accepted it as legitimate and processed the enormous token mint.
No private key compromises occurred during the incident. Blockchain security company Blockaid identified this as a conventional Solidity smart contract vulnerability exploiting multiple dynamic field parameters.
Approximately one billion of the fraudulently generated tokens were liquidated through Uniswap liquidity pools, extracting about 52 ETH valued at roughly $180,000. The remainder — nearly a trillion tokens — remains stored in attacker-controlled addresses and poses an ongoing threat to additional liquidity pools.
Map Protocol’s Emergency Response
Map Protocol identified the vulnerability within the Solidity smart contract infrastructure. The development team has suspended mainnet operations and initiated migration procedures to deploy a new contract.
The project plans to reveal a replacement contract address and execute a comprehensive asset snapshot. All tokens residing in attacker-controlled wallets will be completely invalidated and omitted from the snapshot process.
The Butter Network also suspended operations of its ButterSwap platform. The team emphasized that user deposits remained secure throughout the incident.
Escalating Pattern of Bridge Vulnerabilities
This breach represents just one incident in a concerning trend. A minimum of 18 DeFi protocols and blockchain platforms have suffered exploits this month, including THORChain, Verus Protocol’s Ethereum bridge infrastructure, Transit Finance, and Ekubo.
The TON-TAC bridge experienced a separate compromise on May 11. That security breach generated $2.68 million in damages and originated from inadequate validation within the sequencer software. While approximately 80% of compromised assets were subsequently recovered, the bridge infrastructure remains offline.
Cross-chain bridge technology necessitates transaction validation across multiple blockchain networks, inherently creating extensive vulnerability surfaces. Ethereum’s co-founder Vitalik Buterin highlighted this fundamental security limitation in 2022, contending that bridge infrastructures are architecturally less secure than the individual blockchains they interconnect.
Map Protocol functions as an omnichain infrastructure layer bridging Bitcoin, Ethereum, BNB Chain, Tron, and Solana — indicating its bridge architecture bears additional complexity and elevated risk exposure.
For MAPO token holders, recovery prospects remain challenging. Even with successful migration execution by the development team, the massive overhang of trillions of illegitimate tokens establishes a significant constraint on potential price appreciation.
The attacker successfully extracted approximately $180,000 — a comparatively modest financial gain for an exploit that effectively annihilated a token’s market valuation and revealed critical weaknesses in cross-chain bridge security architecture.
