Yuga Labs Recovers 68 High-Value NFTs Worth $500K+ From Flooring Protocol Exploit

Yuga Labs quietly executed a whitehat rescue on June 8, pulling 68 blue‑chip NFTs — collectively worth more than $500,000 — out of an active exploit on Flooring Protocol before additional attackers could finish draining the pools. What happened - Yuga CEO Michael Figge (X: @mfigge) confirmed the operation and published a full inventory of the recovered assets, now held in Yuga’s custody. The haul includes: 29 Bored Ape Yacht Club (BAYC) NFTs, 4 Mutant Apes, 1 Bored Ape Kennel Club, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles. - The on‑chain recovery was led by Yuga’s VP of Blockchain, 0xQuit (X: @0xQuit). Funding and assets to execute the rescue were fronted quietly by GrailsOTC, Yuga’s over‑the‑counter trading desk. Yuga says it will return all 68 NFTs to their original owners once a technical fix has been deployed and verified. How the exploit worked (in plain terms) - Flooring Protocol contained an edge case in its core accounting logic related to “packed” ownership and indexing — a gas‑optimization technique that compresses multiple values into the same storage slot. - An attacker converted a tiny (near‑dust) amount of WETH into a vastly inflated fpToken balance by abusing how the protocol recorded token ownership when a malicious token ID fell outside expected ranges. This produced “ghost ownership”: ownership checks appeared to pass while downstream accounting recorded a different result. - An unchecked balance update caused an arithmetic underflow, giving the attacker a near‑infinite token balance. With that inflated balance, the attacker could push token prices toward zero and drain liquidity from Flooring pools. A follow‑on opportunist then bought the emptied pool tokens and redeemed them for the underlying NFTs. Why Yuga intervened - After tracing the initial exploit path, Yuga discovered a second, broader vulnerability that exposed additional NFT pools not yet attacked. To prevent further thefts, the team moved quickly to extract all at‑risk assets before another actor could find and exploit that second path. - Flooring Protocol’s architect, 0xFreeLunch (X: @0xFreeLunch), acknowledged the flaw stemmed from gas‑saving bit‑level design choices. Despite multiple security reviews, the edge case went unnoticed — underscoring how low‑level optimizations can create unexpected security surface area when token IDs or inputs deviate from assumptions. Context and consequences - Flooring Protocol had been winding down consumer NFT services since September 2025 and advised FPv2 holders to redeem and exit fractional positions before October that year. However, live contracts with remaining assets created legacy exposure — the very sort of risk attackers increasingly target in aging DeFi infrastructure. - 0xQuit warned some NFTs remain under attacker control and urged users not to deposit further NFTs to Flooring Protocol until a verified fix is deployed. - For scale: CoinGecko prices cited by Yuga put CryptoPunks at about 32.7 ETH (~$54,612) and BAYC around 9.16 ETH per token, illustrating the high value at stake. Why this matters - It’s unusual — and notable — to see a blue‑chip NFT company deploy its own balance sheet and op‑book (via GrailsOTC) to recover third‑party assets during an active exploit. The move reads like ecosystem stewardship: fast, costly, and proactive. - The incident raises broader questions for DeFi and NFT infrastructure: how many other legacy contracts still harbor similar edge‑case bugs, waiting for an attacker to find the second path before anyone else does? Yuga Labs will return the rescued NFTs after the Flooring team implements and verifies a technical remediation. In the meantime, users are advised to keep assets off the protocol until fixes are confirmed.