Yuga Labs completed a coordinated white-hat operation on Monday that secured 68 NFTs from an active exploit in Flooring Protocol, an Ethereum-based NFT liquidity platform. The rescued tokens, valued at more than $500,000 based on floor prices at the time of recovery, are now in Yuga's custody pending a protocol fix.
CEO Michael Figge disclosed the operation on X on June 8, listing the recovered assets: 29 Bored Ape Yacht Club NFTs, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles. Figge said he “quietly instructed our GrailsOTC trading desk to front the money and NFTs to rescue the at-risk assets from the protocol.” GrailsOTC is Yuga’s OTC NFT trading desk.
The rescue operation illustrates a playbook that has emerged for high-value NFT collections: a tier-1 issuer treating a third-party protocol failure as its own incident response problem, and deploying its own trading infrastructure to limit damage before attackers can act. No equivalent prior operation by an NFT creator of Yuga’s scale has been publicly documented.
The Exploit Mechanics
Flooring Protocol is a platform that lets NFT holders fractionalize assets into micro-tokens and pool them for liquidity. The platform previously held meaningful liquidity in blue-chip NFT pools on Ethereum.
The vulnerability was traced by Yuga Labs VP of Blockchain, known on-chain as 0xQuit, to packed storage and token-indexing logic in the platform’s BT404-style smart contract. A small amount of Wrapped Ether (WETH) could be deposited to generate a near-infinite balance of fpTokens, the protocol’s ERC-20 representations of fractionalized locked NFTs. An attacker used that manufactured balance to drain Flooring pools and redeem the underlying NFTs.
0xQuit described the core failure as “ghost ownership”: the contract’s local state recorded an attacker as the legitimate owner of assets they did not possess. That accounting mismatch cascaded to secondary pools, widening the attack surface. A second, related attack path exposed the pool that Yuga ultimately extracted.
Security researcher Coffee helped scope the full extent of the vulnerability alongside 0xQuit.
Yuga’s Response
After the second attack path was confirmed, Yuga moved before additional attackers could exploit it. GrailsOTC fronted the capital and NFTs needed to pull the at-risk assets out of the compromised pools, effectively acting as a white-hat aggressor against the vulnerable state before a malicious actor could.
Yuga is holding the recovered tokens as a safeguard, not as a permanent transfer. Figge said the company will return them to rightful owners once Flooring Protocol’s developers deploy a verified fix. He also warned that the unpatched vulnerability poses continued risk to BAYC and CryptoPunks holders if left unaddressed, and that the exposure extends beyond what has already been exploited.
0xQuit separately warned users against depositing additional NFTs into Flooring Protocol until a confirmed fix is live.
Some NFTs remain under attacker control, per 0xQuit’s accounting. Flooring Protocol had not published a post-mortem or confirmed a remediation timeline as of Monday afternoon ET. The scale of the initial attack — before Yuga’s intervention — and the total losses to Flooring liquidity providers have not been independently quantified.