Butter Bridge (MAP Protocol) — Cross-chain Forged Retry / Infinite Mint — May 20, 2026

Attacker: 0x40592025392BD7d7463711c6E82Ed34241B64279 (EOA recipient; 1 quadrillion MAPO minted from the zero address)

Funds moved to: ~1 billion MAPO dumped on the Uniswap V4 ETH/MAPO pool for 52.21 ETH (≈$180,000 per Blockaid alert). ~999 billion MAPO remaining in the attacker wallet (not absorbable by market depth).

MAPO contract migration in progress to separate legitimate balances (~208M supply) from the 1 quadrillion fake. MAPO -96% in 24h.

Timeline: On 20 May 2026, Blockaid detected active exploitation of Butter Bridge V3.1 (OmniServiceProxy contract) on Ethereum and BNB Chain. Root cause (via Blockaid): abi.encodePacked collision on dynamic-bytes fields in the bridge's retry path. The attacker initiated a legitimate MAP→ETH message signed via oracle/multisig, directed to a pre-computed contract address with no deployed code (stored as retry entry). The attacker then deployed a contract at this same address, creating a forged retry that passed the guard check. ~1 quadrillion MAPO minted from the zero address to 0x40592025392BD7d7463711c6E82Ed34241B64279 (~4.8 million × the legitimate supply of 208M). ~1 billion MAPO dumped via Uniswap V4 for 52.21 ETH ≈ $180,000 per Blockaid. MAP Protocol / ButterNetwork confirmed the incident, paused mainnet operations, announced patch + audit + contract redeployment. User warning: do not trade MAPO on Uniswap. abi.encodePacked bug on retry path — expected pattern appearing in 3 bridges in 2026.