Yuga Labs rushed to secure dozens of high-value NFTs after researchers uncovered a vulnerability in Flooring Protocol that exposed digital collectibles to potential theft. The flaw created a risk for several major NFT collections, prompting the company to carry out an emergency white-hat recovery before additional attackers could exploit the weakness.
Chief Executive Officer Michael Figge said on June 8 that Yuga Labs had recovered 68 NFTs that were vulnerable to the exploit. The assets included 29 Bored Ape Yacht Club NFTs, four Mutant Apes, two CryptoPunks and several other collectibles. The recovery effort, led by Yuga Labs Vice President of Blockchain 0xQuit, followed the discovery of a broader security issue that threatened more assets than those affected in the initial attack.
How the “ghost ownership” exploit unfolded
The crisis began when independent researchers observed on-chain attackers manipulating Flooring Protocol’s core accounting logic. According to technical briefs, the vulnerability allowed an attacker to deposit a nominal amount of Wrapped Ether (WETH) and trick the smart contract into minting an effectively infinite balance of fpTokens, the platform’s fractionalized ERC-20 representations of locked NFTs.
Armed with these artificial balances, malicious actors began systematically draining the protocol’s deep liquidity pools, allowing them to extract underlying premium NFTs.
The exploit path was traced to a severe oversight in Flooring Protocol’s ownership accounting and state verification systems. By forging specific token identifiers, attackers induced a permanent “ghost ownership” state. Inside the contract’s local state, the protocol recognized the attacker as the definitive owner of assets they did not rightfully possess, causing localized accounting desynchronization to spread rapidly to secondary pools.
Race to protect vulnerable NFTs
After reviewing the vulnerability, researchers identified another attack path that exposed additional NFT pools. The team moved quickly to act before other attackers could exploit the same weakness.
Developers, researchers, and Yuga Labs coordinated resources to secure vulnerable assets. The operation recovered 29 Bored Ape NFTs, four Mutant Apes, one BAKC NFT, two CryptoPunks, one Azuki, two Elementals, 26 Captains, one Moonbird, and two Doodles. Despite the recovery, 0xQuit said some NFTs remain under attacker control. He also warned users against depositing additional NFTs into Flooring Protocol until developers deploy a fix.
The incident highlights ongoing security risks in NFT finance platforms. It also shows how weaknesses in smart contract systems can expose high-value digital assets before users are aware of any breach.
Also Read: Weekly Wrap: Bitcoin Crashes 50% From ATH, Zcash Emergency Fork Shocks Crypto, Strategy Sells BTC