MAPO, the native token of Map Protocol, crashed 96% on Wednesday after an attacker exploited the Butter Network cross-chain bridge to mint a quadrillion tokens. The illegitimate mint far exceeded the legitimate supply, dropping MAPO's value from $0.003 to $0.0001 in hours, according to CoinGecko.
The attacker used a new externally-owned account to dump roughly one billion MAPO tokens into Uniswap, draining about 52 ETH (worth approximately $180,000) from liquidity pools. Meanwhile, nearly a trillion tokens remain in the attacker's wallet, posing a threat to other pools and potential exchange listings, Blockaid reported.
This incident joins at least 18 DeFi and blockchain protocols compromised this month, including THORChain, Verus Protocol's Ethereum bridge, Transit Finance, and others.
Map Protocol stated the bug was in the Solidity contract layer, paused the mainnet, and began migration. The Butter Network paused ButterSwap, assuring that user funds were not at risk. Map Protocol will announce a new contract address and conduct an asset snapshot, noting that tokens held by attacker-controlled addresses will be invalidated.
A billion MAPO tokens were sent to Uniswap after the quadrillion mint.
The attacker initially sent a legitimate oracle multisig-signed message, then deployed a malicious contract and resent a modified retry message that appeared identical but was fake. The cross-chain bridge verified it as valid, executing the massive mint. No private keys or light clients were compromised; it was a classic Solidity vulnerability involving multiple dynamic fields.
Map Protocol is an omnichain network for swapping Bitcoin, stablecoins, and tokenized assets across blockchains.
In a related event, the TON-TAC asset bridge issued a post-mortem for a $2.68 million exploit on May 11, caused by missing validation in the sequencer software, which accepted a counterfeit wallet on TON. Recovery secured about 80% of assets, but the bridge remains paused for an audit.