Yuga Labs Floorsing Protocol Exploit: Whitehat Rescue of 68 NFTs

On June 8, Yuga Labs (BAYC/CryptoPunks team) said it ran an unprompted whitehat operation to stop an active Flooring Protocol exploit. The move rescued 68 blue-chip NFTs worth $500k+ and halted further drains from affected Flooring pools using Yuga Labs’ own OTC desk funds. CEO Michael Figge posted an inventory of the recovered assets: 29 BAYC, 4 Mutant Ape Yacht Club, 1 Bored Ape Kennel Club, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles. The on-chain recovery was led by 0xQuit and funded via GrailsOTC. According to 0xQuit, the Flooring Protocol exploit came from an accounting edge case: a dust WETH amount could be converted into an inflated fpToken balance due to “ghost ownership” from packed ownership/indexing logic, then compounded by an arithmetic underflow to give the attacker far more balance than recorded. After review, the team also found a second vulnerability path and escalated with emergency withdrawals to protect other at-risk pools. Flooring Protocol’s architect (@0xFreeLunch) attributed the issue to gas-saving bit-level packed code that fails when token IDs fall outside expected ranges. Some NFTs were still under attacker control, and users were urged not to deposit until a verified fix is live. For traders, the immediate impact is more sentiment-driven than structural. The key takeaway is that this Flooring Protocol exploit did not trigger a confirmed NFT-wide liquidation cascade, but “legacy” DeFi permissioning and accounting bugs can still rapidly change risk conditions for any connected pool.