MAPO, the native token of the Map Protocol, fell 96% on Wednesday after an exploit of the Butter Network cross-chain bridge, which allowed an attacker to mint a quadrillion MAPO tokens.
The malicious mint was tens of thousands of times larger than the legitimate supply of tokens, sending the value of MAPO from around $0.003 to $0.0001 in a matter of hours, according to CoinGecko.
The attacker used a new externally-owned account (EOA) to dump around a billion MAPO tokens, draining about 52 ETH, worth about $180,000, from Uniswap liquidity pools while retaining nearly a trillion tokens that continue to threaten other pools and potential exchange listings, reported Blockaid on Wednesday.
This latest exploit comes during a month in which at least 18 DeFi and blockchain protocols have been compromised, including THORChain, Verus Protocol’s Ethereum bridge, Transit Finance, TrustedVolumes, Ekubo, Echo Protocol and RetoSwap.
Map Protocol said the bug was in the Solidity contract layer, and it has paused the mainnet and has begun migration while the investigation continues. The Butter Network said it has paused ButterSwap, adding that user funds were not at risk.
In its latest post, the Map Protocol project said it would announce a new contract address and select an appropriate time to conduct an asset snapshot. “Any remaining tokens held by attacker-controlled addresses will be fully invalidated and will not be included in any future snapshot or conversion process,” it said.
A billion MAPO tokens were sent to Uniswap after a quadrillion tokens were minted. Source: Etherscan
The MAPO attacker first sent a legitimate oracle multisig-signed message before deploying a malicious contract at a specific address. The attacker then resent a modified “retry” message that appeared identical in hash but was actually fake. The cross-chain bridge verified it as valid and executed the massive token mint.
No private keys were stolen, and no light clients were broken; it was a classic Solidity vulnerability involving multiple dynamic fields, Blockaid explained.
Related: GitHub investigates unauthorized access to internal repositories
Map Protocol is an omnichain network for swapping Bitcoin, stablecoins and tokenized assets across blockchains, connecting the Bitcoin mainnet with ecosystems such as Ethereum, BNB Chain, Tron and Solana.
TON-TAC issues a post-mortem for $2.7 million exploit
Meanwhile, the TON-TAC asset bridge, a cross-chain bridge designed as a network extension for The Open Network, issued a post-mortem on Thursday detailing its $2.68 million exploit that occurred on May 11.
It adds to a wave of cross-chain bridge exploits over the past few weeks, including the Verus-Ethereum Bridge, Echo Bridge, and Butter Network’s cross-chain bridge.
The “security incident” stemmed from missing validation in the sequencer software, which accepted a counterfeit wallet on TON that lacked proper code-hash and minter checks, leading to another unauthorized token mint.
Recovery efforts secured about 80% of the affected assets, but the bridge remains paused for an independent audit of the patched sequencer and liquidity restoration, it added.
Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks
