On June 8th, Yuga Labs, the creator of Bored Ape Yacht Club and CryptoPunks, secretly stepped in to save 68 valuable NFTs – worth over $500,000 – from a security breach affecting Flooring Protocol. They used their own money to quickly resolve the issue and prevent further theft of these historically significant digital collectibles.
Yuga Labs CEO Michael Figge announced on X (formerly Twitter) that the company successfully recovered digital assets following a security issue with Flooring Protocol. The recovered items include 29 Bored Ape Yacht Club NFTs, 4 Mutant Apes, 1 Bored Ape Kennel Club token, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles. Yuga Labs’ VP of Blockchain, 0xQuit, led the effort to reclaim these assets.
The rescue operation was financed using funds from GrailsOTC, Yuga Labs’ private trading service. Figge explained that he asked GrailsOTC to provide the necessary funds and NFTs to remove the vulnerable assets from the system before anyone else could exploit the same weakness. Yuga Labs intends to return all 68 NFTs to their rightful owners after a technical solution is implemented and confirmed.
How The Crypto Exploit Worked
A recent attack, detailed by security researcher 0xQuit on X, exposed a flaw in the core code of Flooring Protocol. By exploiting a specific loophole in how the protocol tracked token ownership, the attacker converted a tiny amount of WETH into a massive, artificially inflated balance of fpTokens. They then used this fake balance to steal funds from Flooring Protocol’s pools. Another user quickly capitalized on the situation, collecting the remaining tokens from those emptied pools and trading them for the NFTs they represented.
According to 0xQuit, the main weakness stemmed from how token ownership and indexing were designed. This allowed a malicious token ID to bypass ownership checks, while the system’s records showed a different owner – essentially creating a false claim of ownership. This flaw, combined with an unverified balance update, caused a calculation error, giving the attacker a much larger balance than they should have had. With this inflated balance, they could then manipulate the token’s price and freely withdraw funds from the system.
Once Yuga Labs investigated the first attack, they found a larger, underlying weakness that put even more NFT collections at risk. This led them to quickly launch a security operation to move all potentially affected assets to safety, preventing anyone else from exploiting the vulnerability.
The Protocol Behind The Incident
The creator of Flooring Protocol, known as @0xFreeLunch, explained on X (formerly Twitter) that a security weakness came from code designed to save on transaction fees. This technique involves efficiently storing data, but it can create problems if token IDs aren’t within the expected limits. Despite several security checks, the issue wasn’t found. This highlights that even seemingly safe optimizations to reduce costs can introduce vulnerabilities if not carefully considered.
Flooring Protocol had begun shutting down its services for customers who used NFTs as early as September 2025, telling users with FPv2 tokens to claim their items and close any shared ownership positions by October. However, the platform’s underlying code was still active and held user funds, making it a target for hackers who often exploit older, vulnerable systems in the decentralized finance world.
A security researcher known as 0xQuit alerted users on X that attackers still control some NFTs and advised against depositing any more NFTs into Flooring Protocol until the issue is fully resolved. Currently, CryptoPunks – including two that were recovered – are valued at around $54,612 each (about 32.7 ETH), and Bored Ape Yacht Club (BAYC) NFTs are trading for approximately 9.16 ETH, according to CoinGecko.
This situation is a significant and rare step forward for how the new world of DeFi handles security. It’s unusual to see a well-established NFT company use its own funds to quickly and proactively save assets being stolen from another project – and do so even when it costs them money. This demonstrates a level of community support that’s uncommon in the crypto space. Now, the industry will likely focus on identifying other older projects with similar weaknesses in their code, hoping to find and fix them before hackers do.
Cover image from Grok, ETHUSD chart from Tradingview
Read More
- SUI PREDICTION. SUI cryptocurrency
- USD HKD PREDICTION
- USD TRY PREDICTION
- Gold Rate Forecast
- USD CHF PREDICTION
- LEGO’s New 12,060-Piece Set Smashes a 5 Year Old Record (& It’ll Cost You $800)
- UNI PREDICTION. UNI cryptocurrency
- Kim Kardashian, Khloe Kardashian Support Lewis Hamilton at Grand Prix
- USD BRL PREDICTION
- Seven Snipers Review: A Sharpshooter Action Movie That Misses More Than It Hits
2026-06-08 18:32