Yuga Labs swooped in to salvage 68 high-value NFTs after a June 8 exploit in Flooring Protocol exposed dozens of tokens to theft, the company said.
What happened
- Yuga Labs CEO Michael Figge confirmed the company completed a white‑hat rescue and is now holding the recovered assets in custody. The recovery team was led by Yuga’s blockchain lead 0xQuit with help from security researcher Coffee; GrailsOTC fronted funds and NFTs needed to move the exposed assets out of vulnerable pools.
- The rescued inventory includes: 29 Bored Apes, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird and 2 Doodles — assets that 0xQuit says are worth more than $500,000. Yuga plans to return the assets to Flooring Protocol once a secure fix is in place.
How the exploit worked (technical summary)
- Floors Protocol issued fungible tokens (fpTokens) pegged 1:1 to NFTs locked in contracts so users could swap between the fungible representation and the underlying NFTs. An attacker found a way to convert a tiny amount of WETH into a near‑infinite fpToken balance, letting them drain liquidity from Flooring pools and redeem NFTs.
- According to 0xQuit, the root cause was packed ownership and indexing logic. A malicious token ID could make ownership checks appear valid while later accounting showed a different result — creating “ghost ownership.” An unchecked balance update then underflowed and wrapped the attacker’s balance much larger than intended, allowing them to push token prices near zero and extract liquidity.
- Flooring Protocol’s developer 0xFreeLunch confirmed the issue affected FloorProtocol V2 and BitmapPunks, both of which share the same core contract structure. He said the vulnerability allowed excess fungible tokens to be minted and redeemed for NFTs and that the attack surface turned out to be broader than initially apparent.
Current status and warnings
- Yuga said some collections were already looted before the team discovered a related risk path. 0xQuit warned users not to deposit new NFTs into Flooring Protocol until the issue is fully resolved — newly deposited assets could become vulnerable.
- The exploit is not yet fully remediated: attackers still hold some NFTs, and Flooring Protocol teams say they are tracing extracted assets and coordinating with security partners and exchanges.
Developer response and context
- Flooring Protocol’s architect accepted responsibility for the contract design, saying a gas‑saving, bit‑level implementation slipped past multiple security reviews and introduced the vulnerability. The team says it is working on remediation and asset tracing.
- This incident adds to Flooring Protocol’s track record of security problems. Earlier reports said the protocol was previously hit in an exploit worth roughly $1.5 million. Separately, BAYC NFTs continue to be a high‑value target: a trader lost three Bored Apes in a May 2024 phishing incident tied to “Pink Drainer.”
What’s next
- Yuga Labs will hold the rescued NFTs in custody and coordinate with Flooring Protocol developers to return assets after a verified fix. Meanwhile, users should avoid depositing NFTs into affected Flooring contracts and follow official channels for security updates.
Read more AI-generated news on: undefined/news
