Yuga Labs completed a whitehat rescue operation on June 8, 2026, recovering 68 high-value NFTs after an exploit in Flooring Protocol exposed several major collections to theft. The saved assets included 29 Bored Apes, 4 Mutant Apes, 1 Bored Ape Kennel Club NFT, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles. CEO Michael Figge confirmed that the NFTs are now safely in the company's custody and will be returned to Flooring Protocol developers once a fix is completed.
The exploit allowed an attacker to turn a small amount of WETH into a near-infinite balance of fpTokens, enabling draining of Flooring pools and redemption of underlying NFTs. Yuga Labs' blockchain lead, known as 0xQuit, described the root cause as a packed ownership and indexing logic flaw that created "ghost ownership" and an unchecked balance update leading to an underflow. This gave the attacker the ability to push token prices near zero and extract liquidity. Liquidity support was provided by GrailsOTC, which fronted funds and NFTs to move exposed assets out of vulnerable pools.
The rescue has broader implications. Blue-chip NFTs like Bored Apes and CryptoPunks are highly illiquid, and a forced sale or theft could have triggered price pressure across entire collections. By intervening before further losses, Yuga Labs likely averted a wider market disruption. The incident also underscores the fragility of NFT financialization protocols, where complex smart contracts tying fungible tokens to rare NFTs can be exploited through subtle code vulnerabilities. Flooring Protocol's architect admitted that gas-saving bit-level code helped hide the bug during security reviews.
