MAP Protocol said its Butter Bridge V3.1 infrastructure was exploited on May 20, 2026, after an attacker used the bridge receive path to mint a massive amount of MAPO on Ethereum and BNB Smart Chain. On-chain data confirms that transaction 0x31e56b4737649e0acdb0ebb4eca44d16aeca25f60c022cbde85f092bde27664a transferred 1,000,000,000,000,000 MAPO from the null address to the labeled MAP/Butter Bridge exploiter address on May 20, 2026, at 16:13:59 UTC.
The supply impact has been described by security researchers as far larger than MAPO’s legitimate circulating supply. SlowMist’s incident tracker listed the mint as approximately 1 quadrillion MAPO, or about 4.8 million times the reported legitimate supply of roughly 208 million, making that multiple an analyst/researcher estimate rather than a number independently derived in this article.
Official Responses Point to Bridge Logic, Not Mainnet Consensus
MAP Protocol’s first public response on May 20, 2026, said the team was aware of the incident and coordinating with external security partners on investigation and containment. The protocol later said on May 21, 2026, that it had suspended conversion services between MAPO on the original ERC-20 contract address 0x66d79b8f60ec93bfce0b56f5ac14a2714e509a99 across BSC and Ethereum and MAPO on the MAP Protocol mainnet, while relevant exchanges had been notified to pause related deposits and withdrawals.
Official statement on the MAPO security incident.
A flaw in Butter Bridge V3.1 was exploited on May 20, resulting in unauthorized MAPO minting on Ethereum and BSC.
MAP Protocol mainnet consensus and light client verification were not affected.Read in the full statement:… pic.twitter.com/ufSpCl3r13
— MAP Protocol (@MapProtocol) May 21, 2026
Butter Network also addressed the incident on May 20, 2026. In one update, it said ButterSwap was paused while the team coordinated with external security partners, and in a later May 20 update it said user funds were not at risk and pending swaps would be processed once it was safe to resume.
Security firm Blockaid publicly flagged the exploit on May 20, 2026, saying the MAP Protocol and Butter Network bridge had been exploited on Ethereum and BNB Smart Chain. Butter Network later attributed the root cause to Blockaid’s analysis, describing an abi.encodePacked collision across dynamic-byte fields in the bridge retry path that allowed a forged retry message to pass guard checks.
The confirmed realized on-chain movement includes a second Ethereum transaction, 0xf7d46fa31a273fbfd5f11c9c1c57179a8fb722cec51d817ad7e8ff8aa31206d3, in which the exploiter sent 1,000,000,000 MAPO to the Uniswap V4 Pool Manager and received 52.210047945812131055 ETH on May 20, 2026, at 16:15:35 UTC. The ETH amount is on-chain confirmed; the roughly $180,000 loss figure is a researcher and tracker estimate, while Etherscan’s displayed dollar value depends on the ETH price used by the explorer at the time viewed.
Holders Face a Transition Through Snapshot and Contract Replacement
MAP Protocol’s recovery plan remains an announced process, not an executed migration. The team said it would publish a new contract address and choose an appropriate time to conduct an asset snapshot, while tokens held by attacker-controlled addresses would be excluded from future snapshot or conversion procedures. That leaves the snapshot and replacement-token distribution as pending steps until the protocol confirms completion.
For holders, the transition creates a practical distinction between valid balances expected to be recognized in a future snapshot and legacy MAPO activity tied to the compromised ERC-20 environment. MAP Protocol warned users against trading MAPO associated with the original contract on decentralized venues such as Uniswap and PancakeSwap, because legacy liquidity pools may no longer reflect assets that will be valid after migration.
The exchange impact is also transitional rather than final. MAP Protocol said relevant exchanges had been notified to halt affected deposits and withdrawals, a containment step designed to prevent unsupported or attacker-linked tokens from moving through centralized venues during the migration window. Until the new contract, snapshot and conversion process are completed, holders, liquidity providers and exchanges remain dependent on the protocol’s next official migration instructions.