One quadrillion MAPO tokens were minted today through a spoofed cross-chain message on MAP Protocol’s Butter Bridge. That is 4.8 million times the legitimate circulating supply. The token crashed 95.8%. The attacker walked away with $110,000.
The asymmetry is the story. Not MAPO.
The market cap chart tells the story better than any explanation could.
MAPO market cap collapses from $20 million to under $837,000 in minutes after one quadrillion tokens were minted through the Butter Bridge exploit. Source: CoinGecko
Hi @mapprotocol, you may want to take a look: huge amount 1,000,000,000,000,000 of $MAP0 were minted:https://t.co/gTl5TGRC9a pic.twitter.com/er6yh1Mh8b
— PeckShield Inc. (@peckshield) May 20, 2026
What Happened
Security firm PeckShield flagged a vulnerability in Butter Bridge V3.1’s OmniServiceProxy contract that allowed unauthorized minting on Ethereum and BSC. The attacker triggered the mint via a spoofed cross-chain message, directing one quadrillion MAPO from the zero address to a single wallet.
The exploiter swapped portions of the fake supply, extracting approximately 52.2 ETH worth roughly $110,000 and pulling over $180,000 in liquidity from Uniswap pools before the price collapsed. Most of the inflated tokens remain in the attacker’s wallet. The MAP Protocol team has not issued a formal statement.
Why This Keeps Happening
Bridge exploits are the most persistent unsolved problem in DeFi. The mechanism varies — spoofed messages, compromised validator keys, logic errors in verification contracts — but the outcome is always the same. Fake tokens get minted or real tokens get drained, holders lose everything, and the attacker takes whatever liquidity they can grab before the price collapses.
The $110,000 haul here is almost comically small relative to the damage done. The MAPO market cap went from roughly $20 million to under $800,000 in minutes. Holders were wiped out so an attacker could pocket six figures.
PeckShield has tracked multiple bridge exploits draining hundreds of millions across DeFi in 2026 alone. The Kelp DAO exploit drained $292 million through LayerZero-powered bridge infrastructure last week. The problem is not getting smaller. It is getting more sophisticated.
Cross-chain interoperability is the infrastructure layer that the entire tokenized asset future depends on. The SEC’s Innovation Exemption for tokenized stocks, Iran’s Bitcoin insurance platform, institutional RWA adoption, all of it assumes cross-chain bridges that work reliably and securely. Today’s MAPO exploit is a reminder of how far that assumption is from reality.
Avoid interacting with MAPO pools or the affected bridges until the team issues an official update.
