Yuga Labs pulled off a whitehat rescue operation on June 8, recovering 68 blue-chip NFTs worth north of $500,000 from an active exploit on Flooring Protocol. The company deployed its own funds through GrailsOTC to front the capital and NFTs needed to extract the assets before the attacker could drain more. Yuga Labs CEO Michael Figge announced the operation on X.
The loot: 29 Bored Apes and 2 CryptoPunks
The rescued haul includes 29 Bored Ape Yacht Club NFTs, 4 Mutant Apes, 1 Bored Ape Kennel Club token, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles. BAYC's floor sits at around 9.16 ETH, and CryptoPunks at roughly 32.7 ETH, per CoinGecko. So the portfolio is substantial even by NFT market standards.
Yuga Labs plans to return every NFT to its original owner once a verified technical fix is deployed and tested. That part isn't done yet.
How the exploit worked
The vulnerability sat in Flooring Protocol's packed ownership and indexing logic. A bug created what the team called 'ghost ownership' and an arithmetic underflow that let an attacker turn a dust amount of WETH into an effectively infinite fpToken balance. The malicious actor used that inflated balance to start pulling real NFTs out of pools.
Flooring Protocol architect @0xFreeLunch acknowledged the bug came from gas-saving bit-level code design and said it slipped past multiple security reviews. The protocol had already been winding down its consumer-facing NFT services since September 2025, but its smart contracts stayed live — with user assets still inside.
A second, bigger hole
While investigating the active exploit, Yuga Labs identified a second vulnerability in Flooring Protocol that exposed additional NFT pools the original attacker never touched. That wider hole triggered the emergency whitehat operation. Yuga Labs VP of Blockchain 0xQuit, who ran the operation, warned that some NFTs are still under attacker control and urged users not to deposit anything else into Flooring Protocol until a verified fix lands.
It's rare for a blue-chip NFT company to step in and use its own balance sheet to rescue third-party assets from a live exploit. That's exactly what happened here.
The next concrete step: a technical fix needs to be deployed, verified, and then the 68 NFTs can start going home. Until then, the remaining pools are on notice.
