Butter Bridge Hack Mints 1 Quadrillion MAPO Tokens, Wiping Out Nearly a Third of Token Value

MAP Protocol’s Butter Bridge got hit hard on May 20, 2026. Attackers exploited a flaw in the bridge’s smart contract and minted 1 quadrillion MAPO tokens — a number so absurd it makes the legitimate circulating supply of 208 million look like a rounding error. The token tanked almost immediately.

Security firm PeckShield traced the problem to Butter Bridge V3.1’s OmniServiceProxy contract. The flaw let attackers mint tokens without authorization on both Ethereum and Binance Smart Chain. They did it through a spoofed cross-chain message — basically a fake instruction that the contract accepted as real and then dutifully executed, sending a mountain of freshly minted tokens straight to a specific wallet address. It’s the kind of validation failure that keeps DeFi security researchers up at night.

What the Attacker Actually Walked Away With

Not everything, as it turns out. The attacker swapped a portion of the illegitimate tokens fast enough to extract roughly 52.2 ETH — worth about $110,000 — and pulled over $180,000 in liquidity from Uniswap pools before the token price collapsed and made the rest of the haul basically worthless. The bulk of those 1 quadrillion minted tokens are still sitting in the attacker’s wallet. Can’t really dump what nobody will buy.

Before the exploit, MAPO was trading at around $0.003. Not a big price, but a functioning market. After the attack, it fell to $0.001558 — a drop of nearly 30%. For holders and liquidity providers, that’s real money gone. Trading pairs got destabilized, Uniswap pools took a hit, and the sudden flood of supply created a liquidity shock that normal market mechanisms weren’t built to absorb.

The math on dilution here is almost comical if you’re not the one holding the bag. Going from 208 million tokens in circulation to 1 quadrillion in a single transaction is the kind of supply shock that no tokenomics model accounts for. Prices don’t just drop — they freefall.

MAP Protocol Team Stays Silent

And that’s probably the part that’s making investors most nervous right now. The MAP Protocol team hasn’t put out a formal statement. No word on contract pauses, no announcement of token blacklisting, no clarity on whether a supply adjustment is even possible or planned. Nothing.

The project pitches itself as a secure interoperability layer for Bitcoin, stablecoins, and tokenized assets. It uses light clients and MPC-based verification — advanced stuff, at least on paper. But the exploit cut straight through that, targeting a message validation gap that apparently wasn’t caught before deployment. The breach didn’t require breaking the cryptography. It just needed a contract that trusted the wrong input.

Read also: Bankr Shuts Down All Transactions After Hack Hits 14 User Wallets

Without any communication from the team, users and investors are left guessing. Are the bridges paused? Is the contract being patched? Will there be a token recovery mechanism? Unclear. The community is waiting for answers that haven’t come.

In the meantime, investors are being advised to stay away from MAPO pools and any bridge connected to the affected infrastructure until there’s official guidance. That’s pretty much the standard playbook after an exploit like this — but it’s cold comfort for anyone already holding a position.

Bridge Exploits Keep Coming in 2026

Cross-chain bridges have been a recurring weak point across DeFi for years. The architecture is genuinely hard to secure — you’re essentially building a trust mechanism between two separate blockchains, each with its own rules, and any gap in how messages are validated between them becomes a potential entry point. PeckShield has been tracking these incidents closely throughout 2026, and the Butter Bridge hack fits a pattern that’s become frustratingly familiar.

The promise of cross-chain interoperability is real. Moving assets between chains without relying on centralized intermediaries is a legitimate use case, and protocols like MAP are trying to solve a hard problem. But the execution has to be airtight. One bad contract, one unvalidated message, and the whole thing unravels fast.

See also: Echo Protocol Loses $77 Million as Admin Key Breach Hands Hacker Control of eBTC

MAP Protocol’s situation is probably going to get messier before it gets cleaner. The token price is down sharply, liquidity is disrupted, and the team’s silence isn’t helping confidence. Whether they can recover depends heavily on what comes next — a patch, a public post-mortem, maybe a compensation plan for affected liquidity providers. None of that has materialized yet.

PeckShield identified the flaw. The attacker extracted around $110,000 in ETH plus over $180,000 from Uniswap pools. And 1 quadrillion tokens are sitting in a wallet somewhere, worth almost nothing.