{"id":29262,"date":"2026-05-21T08:12:23","date_gmt":"2026-05-21T08:12:23","guid":{"rendered":"https:\/\/bitunikey.com\/news\/mapo-crashes-to-record-lows-bridge-attack-overwhelms-circulating-supply\/"},"modified":"2026-05-21T08:12:34","modified_gmt":"2026-05-21T08:12:34","slug":"mapo-crashes-to-record-lows-bridge-attack-overwhelms-circulating-supply","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/mapo-crashes-to-record-lows-bridge-attack-overwhelms-circulating-supply\/","title":{"rendered":"MAPO crashes to record lows, bridge attack overwhelms circulating supply"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p>MAPO, the native token of Map Protocol, has collapsed by 96% after attackers exploited the Butter Network cross-chain bridge to mint an enormous amount of unauthorized tokens.<\/p>\n<div id=\"cn-block-summary-block_0929fb2f970ed4969c0eff9f2ec16e49\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>MAPO plunged 96% after attackers exploited the Butter Network bridge to mint a quadrillion unauthorized tokens.<\/li>\n<li>Blockaid said the attacker drained about 52 ETH from Uniswap pools and continued holding nearly a trillion MAPO tokens after the exploit.<\/li>\n<li>TON TAC has recovered about 80% of assets lost in its separate $2.68 million bridge exploit, though the protocol remains paused for an independent audit.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>According to blockchain security firm Blockaid, the attacker created a quadrillion MAPO tokens through a flaw in the bridge\u2019s Solidity contract layer before dumping roughly 1 billion tokens into Uniswap liquidity pools.\u00a0<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8 Community alert<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/MapProtocol?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@MapProtocol<\/a> \/ <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/ButterNetworkio?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@ButterNetworkio<\/a>  bridge exploited on Ethereum and Bsc.<\/p>\n<p>Attacker tricked Butter Bridge V3.1 (OmniServiceProxy) into minting ~1 quadrillion MAPO \u2014 about 4.8M\u00d7 the legitimate ~208M supply \u2014 directly to a brand-new EOA.<\/p>\n<p>More details in\ud83e\uddf5<\/p>\n<p>\u2014 Blockaid (@blockaid_) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/blockaid_\/status\/2057137997515014211?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 20, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>The sales drained around 52 ETH, valued at nearly $180,000, while the attacker continued holding close to a trillion MAPO tokens that could still threaten other liquidity pools and exchange markets.<\/p>\n<p>CoinGecko <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.coingecko.com\/en\/coins\/map-protocol\" target=\"_blank\" rel=\"nofollow\">data<\/a> showed MAPO falling from about $0.003 to nearly $0.0001 within hours as the exploit overwhelmed the token\u2019s legitimate circulating supply.<\/p>\n<p>Map Protocol later confirmed that the issue originated from the Solidity contract implementation rather than compromised keys or failures in its light client infrastructure. The project said it had paused the mainnet and started a migration process while the investigation remains ongoing.<\/p>\n<p>In a follow-up statement, the team said a new contract address and asset snapshot timeline would be announced separately. Tokens controlled by attacker-linked wallets would be excluded from future conversion events and invalidated during the migration process, according to the project.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Root cause via <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/blockaid?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@blockaid<\/a>: abi.encodePacked collision across dynamic-bytes fields in the bridge retry path.<\/p>\n<p>Scope: <br \/>\u2713 Light client verification: unaffected <br \/>\u2713 Oracle multisig: not compromised <br \/>\u2713 MAPO token contract: unaffected<\/p>\n<p>Bug sits at the Solidity contract layer.\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/PfJZmmnu8n\">https:\/\/t.co\/PfJZmmnu8n<\/a><\/p>\n<p>\u2014 MAP Protocol (@MapProtocol) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/MapProtocol\/status\/2057165370117808231?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 20, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\">Forged retry message triggered unauthorized mint<\/h2>\n<p>Additional analysis from Blockaid showed the attacker first submitted a legitimate oracle multisig-signed message before deploying a malicious contract at a targeted address. Afterward, the attacker resent what appeared to be an identical \u201cretry\u201d message, although the payload had been modified.<\/p>\n<p>Because the bridge validated the manipulated retry request as authentic, the protocol executed the unauthorized mint and released the newly created MAPO tokens into circulation, according to Blockaid.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>The firm said the exploit was not tied to stolen private keys or broken cryptographic verification. Instead, Blockaid described the incident as a \u201cclassic Solidity vulnerability involving multiple dynamic fields.\u201d<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udd0e Suspected root cause \u2013 TL;DR <\/p>\n<p>The bridge authenticates cross-chain message retries with keccak256(abi.encodePacked(\u2026)) over four consecutive dynamic-bytes fields (initiator, from, to, swapData). abi.encodePacked has no length prefixes, so the field boundaries aren&#8217;t encoded\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/7Gzs480OOX\">https:\/\/t.co\/7Gzs480OOX<\/a><\/p>\n<p>\u2014 Blockaid (@blockaid_) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/blockaid_\/status\/2057158375293530290?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 20, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>Cross-chain bridge exploits tied to forged or improperly validated messages have surfaced repeatedly across the DeFi sector this year. Earlier this week, the Verus Protocol Ethereum bridge lost more than $11.5 million after attackers allegedly used forged cross-chain transfer instructions to siphon reserve assets from the protocol.<\/p>\n<p>At the time, Blockaid compared the Verus incident to the 2022 Nomad Bridge and Wormhole exploits, where fake transfer payloads reportedly tricked protocols into releasing funds. ExVul later said the Verus exploit appeared to involve a forged cross-chain import payload that bypassed verification checks inside the bridge mechanism.<\/p>\n<p>GoPlus Security separately stated that the Verus exploit was likely linked to a cross-chain message validation failure, withdrawal bypass issue, or access control weakness.<\/p>\n<h2 class=\"wp-block-heading\">TON-TAC bridge recovers 80% of stolen assets<\/h2>\n<p>Elsewhere in the cross-chain bridge sector, TON-TAC, a bridge built as an extension for The Open Network, published a post-mortem Thursday covering its $2.68 million exploit from May 11.<\/p>\n<p>According to the project, the incident originated from missing validation checks inside the sequencer software. A counterfeit TON wallet lacking proper code-hash and minter verification was reportedly accepted by the system, leading to another unauthorized token mint.<\/p>\n<p>TON-TAC said recovery operations have secured nearly 80% of the affected assets. Even so, the bridge remains paused while an independent audit reviews the patched sequencer infrastructure and liquidity restoration process.<\/p>\n<p>Map Protocol operates as an omnichain network that connects Bitcoin with ecosystems including Ethereum, BNB Chain, Tron, and Solana for cross-chain asset transfers involving Bitcoin, stablecoins, and tokenized assets.<\/p>\n<p>Meanwhile, attacks targeting interoperability infrastructure have continued mounting across decentralized finance. Alongside the MAPO exploit, protocols such as THORChain, Transit Finance, TrustedVolumes, Echo Protocol, Ekubo, and RetoSwap have also reported security incidents in recent weeks.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>MAPO, the native token of Map Protocol, has collapsed by 96% after attackers exploited the Butter Network cross-chain bridge to mint an enormous amount of unauthorized tokens. Summary MAPO plunged&hellip;<\/p>\n","protected":false},"author":1,"featured_media":3013,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-29262","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=29262"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29262\/revisions"}],"predecessor-version":[{"id":29263,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29262\/revisions\/29263"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/3013"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=29262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=29262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=29262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}