Yuga Labs Executes Emergency Rescue of 68 NFTs Following Flooring Protocol Security Breach

TLDR

• A whitehat rescue mission by Yuga Labs on June 8 successfully secured vulnerable assets following a Flooring Protocol security breach
• The operation recovered 68 premium NFTs valued at more than $500,000, including Bored Apes, CryptoPunks, Azuki, Doodles, and Moonbirds
• The exploit leveraged a vulnerability that enabled attackers to generate excessive tokens and extract NFTs from liquidity pools
• Flooring Protocol has advised users to halt all new deposits until the security flaw is fully addressed
• Developers are collaborating with Yuga Labs to restore the recovered NFTs to their rightful owners after implementing fixes

On June 8, Yuga Labs executed an emergency recovery operation to secure 68 NFTs after identifying a critical security vulnerability in Flooring Protocol, a decentralized platform enabling users to deposit NFTs in exchange for liquid tokens.

Michael Figge, CEO of Yuga Labs, verified that the rescue mission successfully concluded with all recovered assets now under the company’s protection.

The salvaged portfolio comprised 29 Bored Apes, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles.

Understanding the Security Vulnerability

The security flaw enabled malicious actors to convert minimal WETH deposits into virtually unlimited fpToken balances—the protocol’s fungible representation tokens.

According to Yuga Labs blockchain specialist 0xQuit, the exploit originated from flawed packed ownership structures combined with indexing logic issues. Attackers could craft malicious token IDs that satisfied ownership verification while producing contradictory accounting results.

0xQuit described this as “ghost ownership.” An unvalidated balance modification triggered an underflow condition, artificially inflating attacker token balances far beyond legitimate amounts.

Armed with these fraudulent balances, bad actors manipulated token prices toward zero, drained pool liquidity, and withdrew the underlying NFTs.

Inside the Recovery Mission

Yuga Labs’ trading division, GrailsOTC, provided the capital and NFT inventory required to extract at-risk assets from compromised pools ahead of potential attackers.

Security analyst Coffee provided crucial assistance during the emergency response. Several collections had already suffered partial exploitation before the team fully understood the vulnerability’s scope.

According to 0xQuit’s assessment, the total value of recovered assets exceeded $500,000.

Yuga Labs confirmed it will maintain custody of the rescued NFTs and coordinate with Flooring Protocol developers to facilitate their return following successful vulnerability remediation.

Ongoing Security Concerns

Flooring Protocol’s principal developer, identified as 0xFreeLunch, acknowledged the exploit impacted both Flooring Protocol V2 and BitmapPunks platforms.

Both projects utilized smart contracts maintaining a 1:1 peg between fungible tokens and locked NFTs. The vulnerability permitted unauthorized token minting and redemption despite undergoing multiple independent security audits.

0xFreeLunch revealed the attack vector proved more extensive than initial exploiters apparently recognized. The identical vulnerability compromised liquidity pools controlled by the BitmapPunks development team.

0xQuit issued strong warnings advising users to avoid depositing additional NFTs into Flooring Protocol. Fresh deposits remain vulnerable to exploitation while the security flaw persists unpatched.

The protocol’s architect accepted full accountability for the contract architecture, noting that gas-optimization techniques involving bit-level operations obscured the vulnerability from previous audit processes.

This incident marks the second major security compromise for the platform. An earlier breach resulted in approximately $1.5 million in NFT losses.

The development team is actively tracking stolen assets and maintaining communication with security firms and cryptocurrency exchanges.

The post Yuga Labs Executes Emergency Rescue of 68 NFTs Following Flooring Protocol Security Breach appeared first on Blockonomi.