Yuga Labs, the company behind Bored Ape Yacht Club and CryptoPunks, completed a covert whitehat operation on June 8 to rescue 68 blue-chip NFTs — worth more than $500,000 — from an active exploit targeting Flooring Protocol, deploying its own funds and acting before additional attackers could drain assets that included some of the most valuable tokens in NFT history.
Yuga Labs CEO Michael Figge (@mfigge) announced the successful operation on X, publishing a full inventory of the rescued assets now held in the company’s custody: 29 Bored Ape Yacht Club NFTs, four Mutant Apes, one Bored Ape Kennel Club token, two CryptoPunks, one Azuki, two Elementals, 26 Captains, one Moonbird, and two Doodles. “We’ve just finished a whitehat operation on an exploit discovered in Flooring Protocol,” Figge wrote, noting that Yuga Labs VP of Blockchain 0xQuit (@0xQuit) led the on-chain recovery effort.
The operation was funded through GrailsOTC, Yuga Labs’ over-the-counter trading desk — which Figge said he “quietly instructed” to front the capital and NFTs needed to pull the at-risk assets out of the protocol before additional bad actors could act on the same vulnerability. The company plans to return all 68 NFTs to their original owners once a technical fix has been deployed and verified.
How The Crypto Exploit Worked
The mechanics of the attack, explained in a technical thread by 0xQuit on X, reveal a sophisticated vulnerability embedded in Flooring Protocol’s core accounting logic. A malicious actor turned a dust amount of WETH — a negligible quantity — into a near-infinite fpToken balance by exploiting an edge case in how the protocol handled token ownership records. The attacker then used the inflated balance to drain Flooring pools, with a subsequent opportunist scooping up the now-depleted pool tokens and exchanging them for the underlying NFTs.
The deeper vulnerability, per 0xQuit’s post, came from packed ownership and indexing logic — a technical design choice where a malicious token ID could make ownership verification checks pass while downstream accounting recorded a different result entirely, creating what he described as “ghost ownership.” An unchecked balance update then caused an arithmetic underflow, handing the attacker a balance far larger than legitimately entitled. Once that inflated balance was in place, token prices could be pushed near zero and liquidity extracted from the pool at will.
After reviewing the initial attack path, Yuga Labs’ team identified a second, broader vulnerability that exposed additional NFT pools not yet touched by the original attacker. That discovery triggered the emergency whitehat operation — the team moved to pull all at-risk assets before another actor could find and exploit the same second path independently.
The Protocol Behind The Incident
Flooring Protocol’s architect, @0xFreeLunch, acknowledged on X that the vulnerability originated in gas-saving bit-level code design — a class of optimization where developers reduce computational costs by packing multiple values into shared storage slots. Despite multiple security reviews, the flaw went undetected, per his post. The admission is notable: gas optimization trade-offs that appear safe in isolation can create exploitable surface area when token IDs fall outside expected ranges.
Flooring Protocol had already been winding down its consumer-facing NFT services since September 2025 — the platform advised FPv2 token holders to redeem assets and exit fractional positions before October of that year. Yet its smart contracts remained live with user assets inside, creating exactly the kind of legacy exposure that attackers increasingly target in aging DeFi infrastructure.
0xQuit warned on X that some NFTs remain under attacker control and urged all users to avoid depositing additional NFTs into Flooring Protocol until a verified fix is deployed. CryptoPunks — two of which were among the rescued assets — currently carry a floor price of approximately 32.7 ETH, or roughly $54,612 per token, while BAYC NFTs sit around 9.16 ETH, per CoinGecko data.
This development marks a pivotal and unusual moment for the nascent sector’s approach to DeFi security. A blue-chip NFT company deploying its own balance sheet to rescue third-party assets from an active exploit — unprompted, at speed, and at cost — is a form of ecosystem responsibility the space rarely sees. The question the industry will now ask is how many other aging protocols still carry similar vulnerabilities in their legacy contracts, waiting for the attacker who finds the second path before anyone else does.
Cover image from Grok, ETHUSD chart from Tradingview