Yuga Labs recovers 68 NFTs after Flooring Protocol exploit

Yuga Labs recovered 68 nonfungible tokens valued at more than $500,000 in an emergency white-hat operation after an exploit exposed assets on Flooring Protocol. The haul includes 29 Bored Apes, two CryptoPunks, four Mutant Apes and other blue-chip tokens. Yuga is holding the tokens in custody while teams work on protocol fixes and owner returns.

The attack began when an actor used a small amount of Wrapped Ether to trigger a flaw in Flooring Protocol’s packed accounting logic and mint an effectively near-infinite balance of fpTokens. A maliciously crafted token ID created a ghost ownership state in which an ownership check passed during one read while internal bookkeeping diverged in another. Two unchecked underflows then wrapped the attacker’s balance to an enormous figure. The attacker dumped fpToken prices toward zero, drained multiple pools and a follow-up opportunist exchanged the depleted fpTokens for underlying NFTs.

Yuga’s vice president of blockchain, posting as 0xQuit, described the ghost ownership state and the underflow sequence that let the attacker inflate balances. Researchers identified a separate attack path that could have affected higher-value pools holding flagship collections. Market data on June 8 showed Bored Ape floors near 8.95 ETH (about $15,121) and CryptoPunks above 32 ETH (around $55,248); at those levels the 29 Bored Apes alone were roughly $441,000, consistent with Yuga’s total valuation above $500,000. The exploit occurred over the weekend when fewer teams were monitoring on-chain activity.

Michael Figge, Yuga’s CEO, wrote that he instructed the GrailsOTC desk to front funds and NFTs for the recovery and that the team deployed a contract that used the same bug class defensively. The original Flooring Protocol architect, posting as 0xFreeLunch, acknowledged responsibility for the vulnerability, blamed gas-optimized code for obscuring the bug from auditors and suggested the attacker may have used advanced tooling to craft the exploit.

Yuga described the recovered tokens as temporary custody until Flooring Protocol is secured and owners can be made whole. Quit posted, “It’s important to NOT deposit any more NFTs into Flooring Protocol, as these could become immediately vulnerable.” The exploiters still hold other stolen NFTs, and Flooring Protocol faces decisions about contract relaunches and compensation as developers evaluate fixes and next steps.