The attacker dumped around one billion MAPO tokens into Uniswap liquidity pools, draining roughly 52 ETH, and still reportedly controls close to a trillion tokens. After the incident, Map Protocol paused its mainnet and began a migration process, while Butter Network paused ButterSwap as investigations into the exploit continue. MAPO Exploit Wipes Out Token Value The crypto sector faced yet another security incident this week after MAPO, the native token of the Map Protocol ecosystem, crashed due to an exploit involving the Butter Network cross-chain bridge. The attack allowed a malicious actor to mint an enormous quantity of MAPO tokens, far exceeding the project’s legitimate circulating supply. MAP Protocol’s price action over the past 24 hours (Source: CoinCodex) According to reports, the attacker managed to mint approximately one quadrillion MAPO tokens through a vulnerability tied to the bridge’s Solidity smart contract layer. The exploit immediately destabilized the token’s value, which sent the price crashing from around $0.003 to almost $0.0001 in only a few hours. Blockchain security firm Blockaid stated that the attacker used a newly created externally-owned account to dump around one billion MAPO tokens into Uniswap liquidity pools, draining approximately 52 ETH, valued at roughly $180,000 at the time. Despite already extracting a lot of liquidity, the attacker reportedly still controls close to a trillion MAPO tokens. This raised concerns that even more decentralized exchanges, liquidity pools, and potentially even centralized exchange listings could be vulnerable if the remaining tokens are moved or sold. The exploit occurred during a particularly difficult month for the DeFi industry. At least 18 protocols reportedly suffered breaches or exploits. Recent victims included THORChain, Transit Finance, Echo Protocol, TrustedVolumes, Verus Protocol’s Ethereum bridge, Ekubo, and RetoSwap. Map Protocol later confirmed that the vulnerability originated from the Solidity contract layer rather than compromised private keys or broken light clients. According to Blockaid’s analysis, the attacker initially submitted a legitimate oracle multisig-signed message before deploying a malicious contract to a targeted address. The attacker then resent a manipulated retry message that appeared valid because it produced an identical hash structure. This ultimately tricked the bridge into authorizing the massive token mint. In response, Map Protocol paused its mainnet operations and announced that it started a migration process while the investigation continues. Butter Network also paused ButterSwap but said that user funds were not directly at risk. The project also stated that a new contract address would soon be announced, alongside a future asset snapshot to support token migration efforts. Any tokens linked to attacker-controlled wallets will reportedly be invalidated and excluded from future conversions.
