Executive summary
MAP Protocol's Butter Bridge v3.1 was exploited in early May 2026, with an attacker minting approximately one quadrillion MAPO tokens and extracting liquidity via on-chain swaps. The scale of the mint, 1,000,000,000,000,000 MAPO, was not constrained by any economic backing, and the attacker converted a portion of the fabricated supply into real assets before the protocol paused bridge operations.
Secondary reporting, citing analysis of the OmniServiceProxy contract's retryMessageIn function, points to a dynamic-type packing collision as the likely abuse path. Official root-cause confirmation from MAP Protocol was still pending at the time of this analysis.
What happened
Butter Bridge v3.1, the cross-chain messaging layer in MAP Protocol's ecosystem, appears to have exposed an abuse path through its message retry mechanism. The attacker reportedly exploited the retryMessageIn function in the OmniServiceProxy contract, the component responsible for processing and re-executing cross-chain messages that failed on first attempt.
Secondary technical reporting suggests the vulnerability is a known Solidity footgun: using keccak256(abi.encodePacked(...)) to form a message authenticity preimage across multiple dynamic byte arrays. When field boundaries in the packed encoding can be manipulated to collide with an existing commitment hash, the retry path can be tricked into treating a fabricated message as previously approved, allowing an attacker to execute a destination-side mint without a legitimate corresponding source-side event.
The attacker minted approximately one quadrillion MAPO to a single wallet address, then swapped a portion of the minted supply to extract ETH and other liquid assets. MAP Protocol responded by pausing bridge operations between MAPO ERC-20 and mainnet MAPO following the exploit.
Why abi.encodePacked is dangerous for authenticity checks
The abi.encodePacked function does not pad its inputs to fixed widths, it packs them tightly. When two or more dynamic-length fields are packed together, the boundary between them is lost. A hash computed over abi.encodePacked(fieldA, fieldB) can collide with a hash computed over abi.encodePacked(fieldA', fieldB') where the field boundaries have simply shifted. This means an attacker can craft inputs that produce a hash matching an existing approved commitment, without any of the original authorised values.
Using this as an authenticity check for cross-chain message replay protection is a single-point-of-failure design: if the collision can be engineered, the entire validity gate fails. The Solidity documentation explicitly warns against using abi.encodePacked with multiple variable-length arguments for this reason.
What defenders can learn
Use abi.encode instead of abi.encodePacked for commitment hashes. abi.encode pads each field to 32 bytes, preserving boundaries and making collision attacks structurally much harder. Any contract computing a preimage for a message hash or authenticity check over multiple dynamic fields should default to abi.encode.
Treat retry paths as primary attack surface. Message retry and replay mechanisms exist to recover from failures, but they also represent a second opportunity to replay a manipulated message. Every retry path should apply the same validation logic as the initial message, with no relaxation of authenticity checks.
Mint operations on cross-chain messages require defence-in-depth. Any bridge that can trigger a token mint on the destination chain is operating with a high-consequence execution path. Rate limits, total supply caps, and circuit breakers on destination-side minting are compensating controls that can contain the blast radius of an exploit even if the core validation fails.
Key details
- Protocol: MAP Protocol / Butter Bridge v3.1
- Affected contract:
OmniServiceProxy - Suspected vulnerable function:
retryMessageIn - Issue class:
abi.encodePackeddynamic-type packing collision in a message authenticity preimage - Attacker address:
0x40592025… - Response: MAP Protocol paused the MAPO ERC-20 / mainnet bridge following the exploit
Further reading
If your protocol relies on bridge or messaging infrastructure with mint capabilities, Security4Web3 can help you review message validation paths, model retry attack surfaces, and build circuit breaker controls before they're needed.