Key Takeaways
- On June 8, Yuga Labs executed a successful whitehat rescue mission following a security exploit targeting Flooring Protocol
- The operation saved 68 premium NFTs, including Bored Apes, CryptoPunks, Azuki, Doodles and Moonbirds, collectively valued at more than $500,000
- The exploit leveraged a vulnerability that enabled attackers to generate virtually unlimited tokens and extract NFTs from liquidity pools
- Users have been strongly advised against making additional deposits to Flooring Protocol until the security flaw is patched
- Developers are collaborating with Yuga Labs to safely return the recovered assets following a comprehensive security fix
On June 8, Yuga Labs successfully executed an emergency recovery operation after a critical security vulnerability was identified in Flooring Protocol, a decentralized platform enabling users to deposit NFTs in exchange for liquid, fungible tokens.
Michael Figge, CEO of Yuga Labs, publicly confirmed the successful completion of the whitehat operation, stating that all recovered assets are now held securely under Yuga Labs’ protection.
The recovered collection comprised 29 Bored Apes, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird and 2 Doodles.
Understanding the Exploit Mechanism
The security flaw enabled malicious actors to convert a minimal WETH investment into an essentially unlimited quantity of fpTokens—the protocol’s native fungible tokens.
Yuga Labs blockchain engineer 0xQuit provided technical insight into the vulnerability, tracing it to flawed packed ownership structures and indexing logic. A specially crafted malicious token ID could satisfy ownership verification while simultaneously triggering contradictory accounting records.
0xQuit described this phenomenon as “ghost ownership.” The exploit further relied on an unchecked balance modification that triggered an underflow error, artificially inflating attackers’ token balances exponentially beyond their legitimate holdings.
Armed with these fraudulently generated tokens, bad actors could manipulate token prices toward zero, systematically drain liquidity pools, and subsequently claim the underlying NFT assets.
Inside the Emergency Recovery Mission
Yuga Labs’ specialized trading division, GrailsOTC, provided the necessary capital and NFTs to expedite the removal of at-risk assets from compromised pools before malicious actors could access them.
Security analyst Coffee provided critical assistance throughout the operation. Unfortunately, certain collections had already been compromised before the team could fully assess the threat landscape.
According to 0xQuit’s assessment, the total value of successfully recovered assets exceeded $500,000.
Yuga Labs has committed to maintaining secure custody of the rescued NFTs and coordinating closely with Flooring Protocol’s engineering team to facilitate their safe return once appropriate security measures have been implemented.
Ongoing Security Concerns
Flooring Protocol’s principal developer, operating under the pseudonym 0xFreeLunch, acknowledged that the exploit compromised both Flooring Protocol V2 and BitmapPunks infrastructure.
He explained that both platforms utilized smart contracts implementing a 1:1 peg between fungible tokens and deposited NFTs. The vulnerability circumvented this mechanism, permitting unauthorized token minting and redemption despite multiple previous security assessments.
0xFreeLunch revealed that the attack surface was considerably broader than the initial attacker apparently understood. The identical vulnerability vector was also exploited to drain liquidity pools controlled by the BitmapPunks development team.
0xQuit issued an urgent warning advising users to completely avoid depositing additional NFTs into Flooring Protocol. Any newly deposited assets remain exposed to potential theft while the underlying vulnerability persists.
The protocol’s lead architect accepted full responsibility for the contract architecture, acknowledging that gas-optimization techniques involving bit-level manipulation concealed the critical flaw from earlier security audits.
This incident marks the second significant security breach for the protocol. A prior exploit resulted in approximately $1.5 million in NFT losses.
The development team is actively tracking stolen assets and coordinating recovery efforts with cybersecurity specialists and cryptocurrency exchanges.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
