1 week ago
6
MAPO, the native token of Map Protocol, has collapsed by 96% after attackers exploited the Butter Network cross-chain bridge to mint an enormous amount of unauthorized tokens.
Summary
- MAPO plunged 96% after attackers exploited the Butter Network bridge to mint a quadrillion unauthorized tokens.
- Blockaid said the attacker drained about 52 ETH from Uniswap pools and continued holding nearly a trillion MAPO tokens after the exploit.
- TON TAC has recovered about 80% of assets lost in its separate $2.68 million bridge exploit, though the protocol remains paused for an independent audit.
According to blockchain security firm Blockaid, the attacker created a quadrillion MAPO tokens through a flaw in the bridgeโs Solidity contract layer before dumping roughly 1 billion tokens into Uniswap liquidity pools.ย
๐จ Community alert@MapProtocol / @ButterNetworkio bridge exploited on Ethereum and Bsc.
Attacker tricked Butter Bridge V3.1 (OmniServiceProxy) into minting ~1 quadrillion MAPO โ about 4.8Mร the legitimate ~208M supply โ directly to a brand-new EOA.
More details in๐งต
The sales drained around 52 ETH, valued at nearly $180,000, while the attacker continued holding close to a trillion MAPO tokens that could still threaten other liquidity pools and exchange markets.
CoinGecko data showed MAPO falling from about $0.003 to nearly $0.0001 within hours as the exploit overwhelmed the tokenโs legitimate circulating supply.
Map Protocol later confirmed that the issue originated from the Solidity contract implementation rather than compromised keys or failures in its light client infrastructure. The project said it had paused the mainnet and started a migration process while the investigation remains ongoing.
In a follow-up statement, the team said a new contract address and asset snapshot timeline would be announced separately. Tokens controlled by attacker-linked wallets would be excluded from future conversion events and invalidated during the migration process, according to the project.
Root cause via @blockaid: abi.encodePacked collision across dynamic-bytes fields in the bridge retry path.
Scope:
โ Light client verification: unaffected
โ Oracle multisig: not compromised
โ MAPO token contract: unaffected
Bug sits at the Solidity contract layer.โฆ https://t.co/PfJZmmnu8n
Forged retry message triggered unauthorized mint
Additional analysis from Blockaid showed the attacker first submitted a legitimate oracle multisig-signed message before deploying a malicious contract at a targeted address. Afterward, the attacker resent what appeared to be an identical โretryโ message, although the payload had been modified.
Because the bridge validated the manipulated retry request as authentic, the protocol executed the unauthorized mint and released the newly created MAPO tokens into circulation, according to Blockaid.
The firm said the exploit was not tied to stolen private keys or broken cryptographic verification. Instead, Blockaid described the incident as a โclassic Solidity vulnerability involving multiple dynamic fields.โ
๐ Suspected root cause โ TL;DR
The bridge authenticates cross-chain message retries with keccak256(abi.encodePacked(โฆ)) over four consecutive dynamic-bytes fields (initiator, from, to, swapData). abi.encodePacked has no length prefixes, so the field boundaries aren't encodedโฆ https://t.co/7Gzs480OOX
Cross-chain bridge exploits tied to forged or improperly validated messages have surfaced repeatedly across the DeFi sector this year. Earlier this week, the Verus Protocol Ethereum bridge lost more than $11.5 million after attackers allegedly used forged cross-chain transfer instructions to siphon reserve assets from the protocol.
At the time, Blockaid compared the Verus incident to the 2022 Nomad Bridge and Wormhole exploits, where fake transfer payloads reportedly tricked protocols into releasing funds. ExVul later said the Verus exploit appeared to involve a forged cross-chain import payload that bypassed verification checks inside the bridge mechanism.
GoPlus Security separately stated that the Verus exploit was likely linked to a cross-chain message validation failure, withdrawal bypass issue, or access control weakness.
TON-TAC bridge recovers 80% of stolen assets
Elsewhere in the cross-chain bridge sector, TON-TAC, a bridge built as an extension for The Open Network, published a post-mortem Thursday covering its $2.68 million exploit from May 11.
According to the project, the incident originated from missing validation checks inside the sequencer software. A counterfeit TON wallet lacking proper code-hash and minter verification was reportedly accepted by the system, leading to another unauthorized token mint.
TON-TAC said recovery operations have secured nearly 80% of the affected assets. Even so, the bridge remains paused while an independent audit reviews the patched sequencer infrastructure and liquidity restoration process.
Map Protocol operates as an omnichain network that connects Bitcoin with ecosystems including Ethereum, BNB Chain, Tron, and Solana for cross-chain asset transfers involving Bitcoin, stablecoins, and tokenized assets.
Meanwhile, attacks targeting interoperability infrastructure have continued mounting across decentralized finance. Alongside the MAPO exploit, protocols such as THORChain, Transit Finance, TrustedVolumes, Echo Protocol, Ekubo, and RetoSwap have also reported security incidents in recent weeks.
English (US) · 