One Hash Collision Just Wiped Out 96% of MAPO – Here Is What Happened

MAPO crashed over 96% after a hash collision exploit on Butter Bridge let an attacker mint nearly 1 quadrillion tokens. MAP Protocol has now suspended trading and plans a new contract.

The token did not bleed out slowly. MAPO dropped over 96% in a matter of hours after an attacker found a way to convince the Butter Bridge it had already processed a legitimate transaction.

Security firm Blockaid flagged the incident on X, identifying the target as Butter Bridge V3.1, also known as OmniServiceProxy. According to Blockaid on X, the attacker tricked the bridge on both Ethereum and BSC, minting approximately 1 quadrillion MAPO tokens directly to a fresh wallet. The legitimate circulating supply sat around 208 million. That math alone explains most of the price action.

The Bug Nobody Flagged Until It Was Too Late

The root cause was not a key leak. It was not a problem with MAPO’s own contract. Per Blockaid’s technical breakdown on X, the bridge authenticated cross-chain message retries using keccak256(abi.encodePacked(…)) across four consecutive dynamic-bytes fields. The problem: abi.encodePacked does not add length prefixes. Different field allocations can produce the exact same byte string, and therefore the exact same hash.

The attacker planted a real, oracle-signed MAP-to-ETH message pointing to a precomputed address. No contract existed there yet. The bridge cached a “NotContract” retry. Then the exploit contract got deployed to that exact address.

What came next was a three-step sequence. Per Blockaid on X, the attacker called retryMessageIn using rearranged field boundaries that packed to the identical 601-byte string. Same hash, same guard pass. The bridge minted 10^15 MAPO straight to the attacker’s wallet.

Cross-chain bridge exploits minting unauthorized tokens have become a recurring pattern across DeFi infrastructure this year.

52 ETH Gone. Nearly a Quadrillion Tokens Still Sitting There

The attacker moved fast. Blockaid confirmed on X that 52.21 ETH, roughly $180,000, was drained from the Uniswap V4 ETH/MAPO pool after around 1 billion MAPO was dumped into it. That number sounds large. It is also less than 0.001% of what the attacker held.

Approximately 999.999 billion MAPO remained in the attacker’s wallet at time of reporting, per Blockaid. The exploit transaction is visible on Etherscan at 0x31e56b4737649e0acdb0ebb4eca44d16aeca25f60c022cbde85f092bde27664a. The attacker address is 0x40592025392BD7d7463711c6E82Ed34241B64279 and the exploit contract sits at 0x2475396A308861559EF30dc46aad6136367a1C30.

MAP Protocol confirmed awareness on X the same day. MAP Protocol said on X that the team was aware and coordinating with external security partners on investigation and containment. The bridge between MAPO ERC-20 and mainnet MAPO was paused.

MAP Protocol Moves to Invalidate Attacker Holdings

By the following day, the response shifted from containment to structural overhaul. MAP Protocol announced on X the suspension of all conversion services between MAPO tokens on the original ERC20 contract address 0x66d79b8f60ec93bfce0b56f5ac14a2714e509a99 across both BSC and Ethereum networks and MAPO on the MAP Protocol mainnet.

All relevant exchanges had been notified to disable deposits and withdrawals for these tokens, the team stated. Users were warned to avoid trading MAPO associated with the original contract on decentralized platforms, including Uniswap and PancakeSwap.

A new contract address will be published. A snapshot will be taken at a date the project considers appropriate. Any tokens still held by attacker-controlled addresses, which at this point number in the hundreds of billions, will be fully excluded from any conversion or future snapshot.

MAP Protocol also noted on X, in a follow-up acknowledging PeckShield’s tracking of the incident, that the team had been coordinating with exchanges and partners since the breach. An official statement covering next steps, snapshot details, and the new contract was being prepared.

Bridge failures have driven a disproportionate share of crypto losses in 2026, with attackers consistently targeting the intersections where automation and trust overlap.

Users have been advised by the project to rely only on official channels. Unofficial guidance, the team warned, should be ignored entirely.