By MAPO crashes to record lows, bridge attack overwhelms circulating supply
MAPO, the native token of Map Protocol, has collapsed by 96% after attackers exploited the Butter Network cross-chain bridge to mint an enormous amount of unauthorized tokens.
Summary
- MAPO plunged 96% after attackers exploited the Butter Network bridge to mint a quadrillion unauthorized tokens.
- Blockaid said the attacker drained about 52 ETH from Uniswap pools and continued holding nearly a trillion MAPO tokens after the exploit.
- TON TAC has recovered about 80% of assets lost in its separate $2.68 million bridge exploit, though the protocol remains paused for an independent audit.
According to blockchain security firm Blockaid, the attacker created a quadrillion MAPO tokens through a flaw in the bridge’s Solidity contract layer before dumping roughly 1 billion tokens into Uniswap liquidity pools.
The sales drained around 52 ETH, valued at nearly $180,000, while the attacker continued holding close to a trillion MAPO tokens that could still threaten other liquidity pools and exchange markets.
CoinGecko data showed MAPO falling from about $0.003 to nearly $0.0001 within hours as the exploit overwhelmed the token’s legitimate circulating supply.
Map Protocol later confirmed that the issue originated from the Solidity contract implementation rather than compromised keys or failures in its light client infrastructure. The project said it had paused the mainnet and started a migration process while the investigation remains ongoing.
In a follow-up statement, the team said a new contract address and asset snapshot timeline would be announced separately. Tokens controlled by attacker-linked wallets would be excluded from future conversion events and invalidated during the migration process, according to the project.
Forged retry message triggered unauthorized mint
Additional analysis from Blockaid showed the attacker first submitted a legitimate oracle multisig-signed message before deploying a malicious contract at a targeted address. Afterward, the attacker resent what appeared to be an identical “retry” message, although the payload had been modified.
Because the bridge validated the manipulated retry request as authentic, the protocol executed the unauthorized mint and released the newly created MAPO tokens into circulation, according to Blockaid.
The firm said the exploit was not tied to stolen private keys or broken cryptographic verification. Instead, Blockaid described the incident as a “classic Solidity vulnerability involving multiple dynamic fields.”
Cross-chain bridge exploits tied to forged or improperly validated messages have surfaced repeatedly across the DeFi sector this year. Earlier this week, the Verus Protocol Ethereum bridge lost more than $11.5 million after attackers allegedly used forged cross-chain transfer instructions to siphon reserve assets from the protocol.
At the time, Blockaid compared the Verus incident to the 2022 Nomad Bridge and Wormhole exploits, where fake transfer payloads reportedly tricked protocols into releasing funds. ExVul later said the Verus exploit appeared to involve a forged cross-chain import payload that bypassed verification checks inside the bridge mechanism.
GoPlus Security separately stated that the Verus exploit was likely linked to a cross-chain message validation failure, withdrawal bypass issue, or access control weakness.
TON-TAC bridge recovers 80% of stolen assets
Elsewhere in the cross-chain bridge sector, TON-TAC, a bridge built as an extension for The Open Network, published a post-mortem Thursday covering its $2.68 million exploit from May 11.
According to the project, the incident originated from missing validation checks inside the sequencer software. A counterfeit TON wallet lacking proper code-hash and minter verification was reportedly accepted by the system, leading to another unauthorized token mint.
TON-TAC said recovery operations have secured nearly 80% of the affected assets. Even so, the bridge remains paused while an independent audit reviews the patched sequencer infrastructure and liquidity restoration process.
Map Protocol operates as an omnichain network that connects Bitcoin with ecosystems including Ethereum, BNB Chain, Tron, and Solana for cross-chain asset transfers involving Bitcoin, stablecoins, and tokenized assets.
Meanwhile, attacks targeting interoperability infrastructure have continued mounting across decentralized finance. Alongside the MAPO exploit, protocols such as THORChain, Transit Finance, TrustedVolumes, Echo Protocol, Ekubo, and RetoSwap have also reported security incidents in recent weeks.
