Yuga Labs has completed a whitehat rescue operation after an exploit in Flooring Protocol placed several high-value NFTs at risk.
Summary
- Yuga Labs rescued 68 NFTs after Flooring Protocol’s exploit exposed high-value collections to theft.
- The saved assets included BAYC, MAYC, CryptoPunks, Azuki, Moonbird, Doodles and other NFTs.
- Flooring Protocol’s architect said aggressive bit-level code helped hide the vulnerability from security reviews.
Yuga Labs CEO Michael Figge said the assets are now in the company’s custody. The rescued NFTs include 29 Bored Apes, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird and 2 Doodles.
Yuga Labs moves after Flooring Protocol exploit
Figge said Yuga Labs acted after an exploit hit Flooring Protocol earlier on June 8. Some collections had already been raided before the team found a related risk path.
“We’ve just finished a whitehat operation on an exploit discovered in Flooring Protocol,” Figge said.
The rescue involved Yuga Labs’ blockchain lead, known as 0xQuit, and security researcher Coffee. Figge said GrailsOTC fronted the funds and NFTs needed to move exposed assets away from vulnerable pools.
The company said it will work with Flooring Protocol developers to return the assets once a fix is ready.
Bug created near-unlimited token balance
0xQuit said the exploit allowed a small amount of WETH to create a near-infinite fpToken balance. Attackers could then drain Flooring pools and redeem the underlying NFTs.
The issue came from packed ownership and indexing logic. According to 0xQuit, a malicious token ID could make ownership checks pass while later accounting showed a different result.
That created what he called “ghost ownership.” After that, an unchecked balance update caused an underflow and gave the attacker a much larger balance than intended.
Once the balance wrapped, the attacker could push token prices near zero and extract liquidity from the pool.
Flooring Protocol warns against new deposits
Flooring Protocol’s 0xFreeLunch said the exploit affected FloorProtocol V2 and BitmapPunks. Both projects used contracts where fungible tokens were pegged 1:1 to NFTs locked in the contract.
“Despite multiple rounds of security reviews,” he said, an attacker found a vulnerability that allowed excess fungible tokens to be minted and redeemed for NFTs.
He said the same vector also hit BitmapPunks and drained liquidity pools supplied by the team. He added that the attack surface was larger than the first attacker appeared to know.
0xQuit warned users not to deposit any more NFTs into Flooring Protocol, saying newly deposited assets could become vulnerable.
More than $500k in NFTs secured
0xQuit said the rescued NFTs were worth more than $500,000. He also said the exploit was not fully resolved because attackers still held some NFTs.
The incident adds to Flooring Protocol’s history of security concerns. Earlier related reports noted that the protocol was previously hit in an NFT exploit worth about $1.5 million.
Flooring Protocol’s architect said he takes responsibility for the contract design. He said the vulnerability came from gas-saving bit-level code that escaped earlier security reviews.
He also said the team is tracing extracted assets and working with security teams and exchanges.
Separately, as crypto.news reported, BAYC NFTs have remained a target for theft. In May 2024, an NFT trader lost three Bored Apes worth over $145,000 in a phishing attack linked to Pink Drainer.
