Yuga Labs rushed to secure dozens of high-value NFTs after researchers uncovered a vulnerability in Flooring Protocol that exposed digital collectibles to potential theft. The flaw created a risk for several major NFT collections, prompting the company to carry out an emergency white-hat recovery before additional attackers could exploit the weakness.
Chief Executive Officer Michael Figge said on June 8 that Yuga Labs had recovered 68 NFTs that were vulnerable to the exploit. The assets included 29 Bored Ape Yacht Club NFTs, four Mutant Apes, two CryptoPunks and several other collectibles. The recovery effort, led by Yuga Labs Vice President of Blockchain 0xQuit, followed the discovery of a broader security issue that threatened more assets than those affected in the initial attack.
The crisis began when independent researchers observed on-chain attackers manipulating Flooring Protocol’s core accounting logic. According to technical briefs, the vulnerability allowed an attacker to deposit a nominal amount of Wrapped Ether (WETH) and trick the smart contract into minting an effectively infinite balance of fpTokens, the platform’s fractionalized ERC-20 representations of locked NFTs.
Armed with these artificial balances, malicious actors began systematically draining the protocol’s deep liquidity pools, allowing them to extract underlying premium NFTs.
The exploit path was traced to a severe oversight in Flooring Protocol’s ownership accounting and state verification systems. By forging specific token identifiers, attackers induced a permanent “ghost ownership” state. Inside the contract’s local state, the protocol recognized the attacker as the definitive owner of assets they did not rightfully possess, causing localized accounting desynchronization to spread rapidly to secondary pools.
After reviewing the vulnerability, researchers identified another attack path that exposed additional NFT pools. The team moved quickly to act before other attackers could exploit the same weakness.
Developers, researchers, and Yuga Labs coordinated resources to secure vulnerable assets. The operation recovered 29 Bored Ape NFTs, four Mutant Apes, one BAKC NFT, two CryptoPunks, one Azuki, two Elementals, 26 Captains, one Moonbird, and two Doodles. Despite the recovery, 0xQuit said some NFTs remain under attacker control. He also warned users against depositing additional NFTs into Flooring Protocol until developers deploy a fix.
The incident highlights ongoing security risks in NFT finance platforms. It also shows how weaknesses in smart contract systems can expose high-value digital assets before users are aware of any breach.
Also Read: Weekly Wrap: Bitcoin Crashes 50% From ATH, Zcash Emergency Fork Shocks Crypto, Strategy Sells BTC
Show AI SummaryThe CFTC files a lawsuit against New Mexico to stop enforcing state gambling…
Show AI SummaryExodus expands into tokenized equities through a partnership with Ondo Finance, marking a…
Key Highlights Zimbabwe has introduced mandatory annual registration and licensing requirements for cryptocurrency and virtual…
Key Highlights Humanity Protocol published Quantstamp’s investigation into the June 8 exploit that drained and…
Key Highlights Blockworks has acquired Messari in a strategic move to combine crypto market intelligence,…
The team behind Pi Network continues to improve its ecosystem, with the transition to protocol…
This website uses cookies.
Read More