On May 20, on-chain security firm Blockaid detected an attack on Butter Bridge V3.1, a cross-chain bridge component under MAP Protocol, on Ethereum and BSC. The attacker exploited a smart contract design flaw to induce the bridge contract to illegally mint roughly 10 trillion MAPO tokens directly to a newly created address, about 4.8 million times the 208 million MAPO in legitimate circulating supply.
Attack Mechanism: Smart Contract Design Flaw in the Retry Message Verification Process
Blockaid confirmed that the root cause of this attack was a smart contract design flaw in the retry message verification process of Butter Bridge V3.1. This is a problem at the contract implementation level, not a failure of the underlying protocol architecture of MAP Protocol. By诱导 the contract execution down an incorrect verification path, the attacker caused the bridge contract to bypass the legitimate cross-chain credential checks, directly minting tokens on the Ethereum chain to a new EOA address.
Cross-chain bridges technically need to verify messages from two independent blockchains simultaneously. Each chain has its own Consensus Mechanism, security model, and transaction finality confirmation rules. MAP Protocol uses a peer-to-peer model and lightweight client verification, which in theory provides a smaller attack surface than designs that rely on trusted third-party verifiers. However, in this incident, the design flaw in the contract retry logic provided an exploitable entry point. Butter Network confirmed that patching, audits, and redeployment are underway.
Loss Scale and MAPO Market Response: Confirmed Data
Attacker cash-out amount: 52.21 ETH (about $180k), from the Uniswap V4 ETH/MAPO liquidity pool
Attacker remaining positions: about 10M MAPO, still in the attacker’s wallet, posing ongoing risk to all MAPO-related liquidity pools and CEX listings
MAPO price impact: about a 30% drop in a single day after the sell-off
Total illegally minted amount: about 10 trillion MAPO, 4.8 million times the legitimate circulating supply (208 million)
Cumulative losses from cross-chain bridge attacks in 2026 (as of mid-May): over $328.6 million
Responses Confirmed by MAP Protocol and Butter Network
MAP Protocol’s official statement confirmed the following containment measures that have already been carried out: bridging between MAPO ERC-20 and the MAPO mainnet has been suspended; the team warns users not to trade MAPO ERC-20 tokens on Uniswap at present, and while liquidity pools still carry risk during the incident mitigation period; the team is coordinating with external security partners to conduct an investigation.
Butter Network’s official statement confirmed: ButterSwap has suspended all operations; patching, audits, and redeployment are underway; pending transactions will be processed after system security is restored; users’ funds have not suffered direct losses, and all affected transaction confirmations will be handled in full after the system is restored.
FAQ
Is this attack a flaw in MAP Protocol’s underlying protocol architecture?
Blockaid confirmed that this vulnerability is a smart contract design issue in Butter Bridge V3.1, specifically occurring in the retry message verification process. It is a flaw at the contract implementation level, not a fundamental failure of MAP Protocol’s underlying peer-to-peer architecture or the lightweight client verification model. Butter Network is currently patching and re-auditing this component.
Why does the attacker’s remaining holding of about 180k MAPO constitute ongoing risk?
The attacker’s wallet still holds about 1000B of illegally minted MAPO, far exceeding the legitimate circulating supply (208 million) by thousands of times. If the attacker chooses to deploy these tokens into any MAPO liquidity pool or submit a listing application to a CEX, it would cause a major impact on MAPO market price and liquidity. Blockaid’s announcement explicitly states that this holding “constitutes ongoing risk to any MAPO pool or CEX listing.”
Why do cross-chain bridges continue to become high-risk attack targets for the DeFi ecosystem?
Technically, cross-chain bridges need to process messages from two independent blockchains simultaneously, and each chain has different Consensus Mechanisms, security models, and transaction finality rules. Bridge contracts typically lock large amounts of assets on one chain and mint corresponding tokens on another chain. Once the bridge logic has a flaw, attackers can steal the locked assets or mint tokens without financial backing. Historical cases include the 2022 Nomad Bridge theft of over $186 million (identity verification error), as well as attacks on the Ronin Bridge and Wormhole. As of 2026, cumulative losses from this type of attack have already exceeded $328.6 million.
