MAP Protocol paused Butter Bridge after an exploit minted 1 quadrillion $MAPO tokens, crashing price and draining ~$180K liquidity.
Author: Akshat Thakur
May 20, 2026 – An attacker exploited Butter Bridge V3.1 on May 20, 2026, minting approximately 1 quadrillion MAPO tokens across Ethereum and BSC. That figure represents about 4.8 million times the legitimate circulating supply of roughly 208 million MAPO.
High Signal Summary For A Quick Glance
Altcoins France 🇫🇷
@AltcoinsFrance
🚨 MAP PROTOCOL ET BUTTER NETWORK TOUCHÉS PAR UN HACK Deux bridges distincts, Map Protocol et Butter Network, ont été touchés après une faille exploitée sur Ethereum et BNB Chain. L’attaquant a réussi à créer artificiellement plus de 1 quadrillion de MAPO, soit bien au-dessus https://t.co/gWuQ4Lzyka
🚨 Community alert @MapProtocol / @ButterNetworkio bridge exploited on Ethereum and Bsc. Attacker tricked Butter Bridge V3.1 (OmniServiceProxy) into minting ~1 quadrillion MAPO — about 4.8M× the legitimate ~208M supply — directly to a brand-new EOA. More details in🧵
04:49 PM·May 20, 2026
Blockaid
@blockaid_
🚨 Community alert @MapProtocol / @ButterNetworkio bridge exploited on Ethereum and Bsc. Attacker tricked Butter Bridge V3.1 (OmniServiceProxy) into minting ~1 quadrillion MAPO — about 4.8M× the legitimate ~208M supply — directly to a brand-new EOA. More details in🧵
04:34 PM·May 20, 2026
Steady attention without excessive speculation.
The attacker then dumped 1 billion MAPO into the Uniswap V4 ETH/MAPO pool. That swap extracted roughly 52.21 ETH, worth about $180,000 in liquidity. The remaining tokens, around 999 billion MAPO, still sit in the attacker’s wallet.
Security firm Blockaid published a detailed root-cause analysis shortly after the attack. The vulnerability sat in the OmniServiceProxy contract, specifically in its retryMessageIn function.
The bridge uses keccak256 hashing with abi.encodePacked to authenticate cross-chain message retries. It hashes four consecutive dynamic-bytes fields: initiator, from, to, and swapData. Because abi.encodePacked does not add length prefixes to dynamic types, different field-boundary splits can produce identical hash outputs.
The attacker exploited this in three steps. First, they sent a legitimate cross-chain message to a precomputed empty address, caching a “NotContract” retry commitment. Then they deployed a malicious contract at that exact address. Finally, they called retryMessageIn with rearranged byte-field boundaries that packed to the same 601-byte string.
The hash matched. The guard check passed. The bridge minted 10^15 MAPO tokens directly to the attacker’s EOA.
Blockaid confirmed this was “not a key compromise, not a light-client bug, not a MAPO bug. Pure Solidity abi.encodePacked footgun.”
Both MAP Protocol and Butter Network responded within hours. MAP Protocol confirmed the team was “aware and coordinating with external security partners on investigation and containment.” The bridge between MAPO ERC-20 and mainnet MAPO was paused immediately.
MAP Protocol also confirmed the root cause identified by Blockaid. The team stated that light client verification, the oracle multisig, and the MAPO token contract itself were all unaffected. The bug sat entirely at the Solidity contract layer.
Butter Network echoed the findings and said that “patch, audit, and redeployment are in progress.” ButterSwap remains paused until the team confirms it is safe to resume.
Timeline of the MAP Protocol / Butter Network exploit and response (May 20, 2026)
An attacker abuses retryMessageIn on OmniServiceProxy, allegedly minting 1 quadrillion MAPO tokens directly to an externally controlled wallet.
Security researchers flag the exploit publicly, sharing transaction evidence and warning the community of abnormal MAPO mint activity.
The team acknowledges awareness of the exploit and announces the bridge has been paused while investigation begins.
Butter confirms ButterSwap suspension and states user funds are believed to remain safe despite disruption to services.
Blockaid publishes a deeper technical explanation attributing the exploit path to an abi.encodePacked-related validation issue.
MAP Protocol and Butter publicly agree with the preliminary analysis and caution users against interacting with MAPO liquidity during the incident.
Butter says the investigation should conclude within 12 hours. Bridge operations remain paused while fixes, audits, and redeployment planning continue.
MAPO traded around $0.003 before the exploit. The price dropped to approximately $0.001558 afterward, a decline of roughly 30 to 48 percent depending on exact timing.
The attacker’s 1 billion MAPO dump drained about $180,000 from the ETH/MAPO Uniswap V4 pool. Trading volume spiked sharply in the minutes following the mint.
The on-chain total supply of MAPO now sits at approximately 999 trillion tokens. That massive inflation has effectively destroyed the token’s supply economics, even though the attacker’s realized profit was relatively modest.
Both teams warned users not to trade MAPO ERC-20 on Uniswap while the situation remains unresolved.
The abi.encodePacked function is a well-documented risk in Solidity development. Unlike abi.encode, it does not pad dynamic types to 32-byte boundaries or include length prefixes. When multiple dynamic-bytes arguments are packed consecutively, different input combinations can produce identical byte strings.
The Solidity documentation explicitly warns against using abi.encodePacked with multiple dynamic types. Despite this, the function appears in many production contracts because it produces shorter, cheaper calldata.
Previous audits and security research have flagged this pattern repeatedly. The Butter Bridge exploit now serves as one of the clearest real-world demonstrations of why those warnings exist.
Several key questions remain open. The attacker’s identity and location are unknown. Whether a full mint also occurred on BSC, or just the retry path was triggered, has not been publicly confirmed.
The attacker has not moved or bridged the remaining approximately 999 billion MAPO tokens as of the latest on-chain data. That overhang poses ongoing risk to any remaining liquidity.
No governance proposals or on-chain pause transactions have been published. The bridge remains paused through team-controlled mechanisms. No public GitHub commits detailing the fix have appeared either.
The immediate priority for both teams is completing the patch, audit, and redeployment. Butter Network confirmed this process is underway, though no timeline has been shared.
Community sentiment on X is strongly negative. Users are sharing price-crash screenshots and warning others to avoid MAPO trading entirely. Some opportunistic traders bought the initial dip, but the dominant message is caution.
Cross-chain bridges continue to rank as the most exploited category in DeFi. Major past incidents include the Ronin bridge ($625 million), Wormhole ($320 million), and Nomad ($190 million). The Butter Bridge exploit adds another entry to that list, though the $180,000 in realized losses is far smaller than those historic attacks. The inflationary damage to MAPO’s token supply, though, could prove harder to repair.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Butter Bridge Exploit Mints 1 Quadrillion MAPO Tokens
Meteora Launches Limit Orders on Solana DLMM
Solana Q1 Report Shows RWA Surge and Stablecoin Dominance
Vitalik Outlines Three Steps Toward Ethereum Native Privacy
Butter Bridge Exploit Mints 1 Quadrillion MAPO Tokens
Meteora Launches Limit Orders on Solana DLMM
Solana Q1 Report Shows RWA Surge and Stablecoin Dominance
Vitalik Outlines Three Steps Toward Ethereum Native Privacy
