Yuga Labs has recovered 68 NFTs worth more than $500,000 in an emergency white-hat operation, securing assets exposed by a Flooring Protocol exploit before attackers could drain them.
The recovered haul includes 29 Bored Apes, two CryptoPunks, and four Mutant Apes, now held in Yuga’s custody for return to owners once the protocol is fixed.
How the Exploit Unfolded
Flooring Protocol is an NFT liquidity platform. Users lock NFTs and receive fungible fpTokens pegged one-to-one to those deposits.
The attacker started with a small amount of Wrapped Ether (WETH). They then abused a flaw in the protocol’s packed accounting logic to mint a near-infinite fpToken balance.
According to Yuga’s VP of blockchain, 0xQuit, a maliciously crafted token ID created what he called a ghost ownership state. Ownership checks passed under one reading while internal bookkeeping diverged under another.
Follow us on X to get the latest news as it happens
Two unchecked underflows followed, wrapping the attacker’s balance to an enormous figure. They dumped fpToken prices toward zero and drained the affected pools.
Why Yuga Stepped In
Researchers then found a second attack path that exposed higher-value pools, including blue-chip NFT collections. Those assets had escaped the first wave only because their pools held little liquidity.
The stakes sat in those flagship lines. Bored Ape floors stood near 8.95 ETH, about $15,121, while CryptoPunks held above 32 ETH, or roughly $55,248, according to CoinGecko data on June 8.
At those levels, the 29 Bored Apes alone were worth about $441,000, the largest single line in the haul.
That math squares with the figure of more than $500,000 across all 68 NFTs cited by 0xQuit. The exploit also struck over the weekend, when fewer teams monitor on-chain activity.
Flooring Protocol entered sunset mode last year, and its NFT division was left largely unmanaged. The original architect stayed on as a liquidity provider and lost his own assets in the attack.
CEO Michael Figge said he instructed the GrailsOTC desk to front money and NFTs for the rescue. The team then deployed a contract that used the same bug class defensively, echoing earlier white-hat recovery efforts across DeFi.