Map Protocol Token MAPO Crashes 96% After Bridge Exploit Mints 1 Quadrillion Tokens

Headline: MAPO collapses 96% after bridge exploit mints 1 quadrillion tokens — Map Protocol pauses mainnet and readies migration Map Protocol’s native token MAPO plunged roughly 96% after attackers abused a flaw in the Butter Network cross‑chain bridge to mint an enormous amount of unauthorized tokens. According to blockchain security firm Blockaid, the attacker created about 1 quadrillion MAPO — ~4.8 million times the legitimate supply of ~208 million — then dumped roughly 1 billion MAPO into Uniswap liquidity pools, crushing the market. Key facts - Minted amount: ~1 quadrillion MAPO (≈ 4.8M× the legitimate ~208M supply) - Dumped to market: ~1 billion MAPO into Uniswap pools - Proceeds cashed out: ~52 ETH (about $180,000) from sales - Remaining attacker balance: close to a trillion MAPO, which could still threaten other pools and exchange listings - Price impact: MAPO fell from ~$0.003 to nearly $0.0001 within hours (≈96% collapse), per CoinGecko - Source of vulnerability: Solidity contract bug in the Butter Bridge V3.1 OmniServiceProxy layer, not stolen keys or broken light client verification How the exploit worked (short technical breakdown) Blockaid’s investigation shows the attacker first submitted a legitimate oracle multisig‑signed message, then deployed a malicious contract at a specific address. They then resent a “retry” cross‑chain message whose payload had been subtly modified. Because the bridge authenticated retries using keccak256(abi.encodePacked(...)) across multiple dynamic-bytes fields, the concatenation produced ambiguous boundaries (abi.encodePacked omits length prefixes), allowing a collision that made the manipulated retry look valid. The bridge accepted the message and executed an unauthorized mint. Blockaid emphasizes this was a classic Solidity encoding vulnerability, not compromised private keys or cryptographic checks. Map Protocol’s response Map Protocol confirmed the fault lies in the Solidity contract implementation and said its light client and oracle multisig were not compromised. The team has: - Paused mainnet operations and initiated a migration process - Announced that a new contract address and asset snapshot timeline will be published separately - Stated that tokens held by attacker-linked wallets will be excluded from future conversion events and invalidated during migration Broader context: bridge risks remain high Cross‑chain bridges have been a recurring target this year. Blockaid and other security firms compared the incident to recent and past failures where forged or improperly validated messages allowed unauthorized mints or transfers — including the Verus bridge exploit (over $11.5M) and the 2022 Nomad and Wormhole incidents. Other recent bridge attacks include TON‑TAC’s $2.68M exploit in May (the project recovered nearly 80% of assets) and security events reported by projects such as THORChain, Transit Finance, TrustedVolumes, Echo Protocol, Ekubo, and RetoSwap. What Map Protocol does Map Protocol is an omnichain network intended to bridge Bitcoin with ecosystems like Ethereum, BNB Chain, Tron, and Solana, facilitating cross‑chain transfers of Bitcoin, stablecoins, and tokenized assets. The incident underscores the systemic risk inherent in interoperability infrastructure where message encoding, retry logic, and validation subtleties can enable large, rapid disruptions. What to watch next - Map Protocol’s migration timeline and new contract address announcement - Whether exchanges and liquidity providers will delist or blacklist attacker‑controlled MAPO holdings - Any additional forensic details from Blockaid or independent auditors confirming the vulnerability scope and remediation steps This case is another reminder that cross‑chain message validation and safe Solidity encoding practices remain critical for bridge security.