Key Highlights
- Attackers exploited a flaw in Butter Bridge V3.1 to mint nearly 1 quadrillion MAPO tokens.
- The issue stemmed from a hash collision in the bridge’s retry message verification logic.
- Around 1 billion MAPO was dumped for ~52.21 ETH (~$180K), while the attacker still holds most of the supply.
MAP Protocol and ButterNetwork confirmed today that their Butter Bridge V3.1 system on Ethereum and BNB Chain was exploited, allowing an attacker to mint nearly 1 quadrillion MAPO tokens.
The issue was first flagged by blockchain security firm Blockaid, which reported that the attackers were able to create fake tokens and send them to a newly created wallet address without real backing.
How the attack happened
In a post on X, Blockaid said the attacker exploited a weakness in the bridge’s retry message verification process.
The bridge used a coding method called keccak256(abi.encodePacked(…)) to check data. This method joins different pieces of data together before turning them into a hash. The issue is that when multiple dynamic fields are packed this way, different arrangements of the same data can still produce the same result. This made it possible for a fake message to look exactly like a real one to the system.
“Root cause via Blockaid: an abi.encodePacked collision across dynamic-bytes fields in our bridge retry path allowed a forged retry to pass the guard check,” ButterNetwork said, confirming the issue was at the contract layer.
The exploit took place in a sequence of steps that combined message replay and address manipulation.
According to Blockaid, the attacker first initiated a legitimate MAP→ETH bridge message that was signed through oracle and multisig validation. That message was sent to a precomputed contract address that had no code deployed at the time, causing the bridge to store it as a retry entry.
After that, the attacker created a new contract at the same address. This is possible in blockchain systems under certain conditions. Once the contract was in place, the attacker ran the retry function again but changed the structure of the message data.
Even though the structure was changed, the final encoded result still looked the same to the system. Because of this match, the system believed the message was valid. It passed all checks and allowed the attacker to mint around 10 to 15 MAPO tokens in one go.
Large dump into liquidity pools
After minting the tokens, the attacker quickly started selling them. On-chain data shows about 1 billion MAPO was dumped into a Uniswap V4 pool paired with ETH. This caused a loss of around 52.21 ETH, which is about $180,000 at the time. The sudden sale also disturbed the liquidity pool balance.
Blockaid said the attacker still holds about 999.999 billion MAPO tokens. This large amount is still sitting in their wallet, which means there is ongoing risk. If the attacker sells more tokens, it could further crash the price or affect other trading pools and exchanges.
Response from teams
ButterNetwork said the vulnerability was caused by a smart contract design issue rather than a protocol-level failure. The team stated that patching and redeployment are already in progress.
“Bug sits at the Butter contract layer. Patch, audit, and redeployment are in progress,” the protocol posted on X. It has also paused all operations while the investigation continues.
The team also said user funds are safe and that pending swaps will be completed once everything is secure again. MAP Protocol also warned users not to trade MAPO tokens on Uniswap for now because liquidity pools are still at risk.
Broader DeFi context
The incident adds to a growing list of DeFi exploits in 2026. Just last week, Huma Finance was exploited for about 101,400 USDC. Earlier the same day, INK Finance reportedly suffered a separate breach involving about $140,000 in losses.
Other protocols, including Kelp DAO, Drift Protocol, and Hyperbridge, have also been targeted this year.
In fact, funds stolen so far in DeFi-related protocols in different exploits and hacks this year alone would be estimated to be over half a billion dollars, with most cases linked to smart contract logic errors rather than direct blockchain attacks.
Also Read: Echo Exploit Hacker Moves $821K Through Tornado After eBTC Mint
