Exploit mints 1 quadrillion MAPO, token tumbles 30%

On May 20, 2026 an attacker minted 1,000,000,000,000,000 MAPO tokens by exploiting a vulnerability in Butter Bridge V3.1’s OmniServiceProxy contract. The attacker used a spoofed cross‑chain message to create the tokens and sent them from the zero address to wallet 0x40592025392BD7d7463711c6E82Ed34241B64279.

On‑chain records show the exploiter swapped portions of the inflated supply for ETH and removed liquidity from Uniswap pools. The attacker extracted about 52.2 ETH, roughly $110,000, and pulled more than $180,000 in liquidity before the market reacted. Most of the 1 quadrillion MAPO remain in the attacker’s wallet.

The minted amount equals about 4.8 million times MAP Protocol’s legitimate circulating supply of roughly 208 million MAPO. Before the incident MAPO traded near $0.003; after the exploit the token was quoted at $0.001558, a decline of almost 30 percent. Trading pairs destabilized and liquidity for MAPO pairs fell as markets adjusted to the sudden dilution.

Security firm PeckShield flagged the issue, identifying a message‑validation weakness in the bridge contract that affected cross‑chain instruction handling on both Ethereum and Binance Smart Chain. MAP Protocol uses light clients and multi‑party computation (MPC) verification in its design, but the reported flaw allowed an unauthorized mint via a spoofed cross‑chain message.

At the time of reporting MAP Protocol had not published a formal statement on mitigation steps such as pausing contracts, blacklisting tokens, or adjusting supply. On‑chain transactions and data are publicly available and market participants are monitoring MAPO trading pairs and the attacker wallet for any further movement.