Skip to content
Blockchain Posts

exploit

Yuga Labs whitehats 68 NFTs out of a live Flooring Protocol exploit

Yuga's blockchain lead 0xQuit and researcher Coffee pulled 29 BAYC, 2 CryptoPunks and 37 other blue-chips out of Flooring before an attacker could redeem them through the fpToken bug.

by 4 min read
exploitethereumnftdefiyuga-labs

A vulnerability in Flooring Protocol, the Ethereum-based fractionalization layer for NFTs, let an attacker mint a near-infinite balance of fpToken from a dust amount of WETH and drain liquidity pools that held blue-chip NFTs. Yuga Labs finished a whitehat counter-operation on June 8, 2026 that pulled 68 NFTs — most of them BAYC and adjacent collections — out of the at-risk pools before the attacker could redeem them. The team led by Yuga's VP of blockchain, known on-chain as 0xQuit, with security researcher Coffee, announced the rescue and inventory the same day.

What happened

Flooring Protocol locks NFTs in vaults and mints an ERC-20 fractional token (fpToken) per collection. Each fpToken is, in principle, redeemable 1:1 against the underlying NFTs in the vault. An attacker found a path to mint fpToken without depositing the matching collateral, broke the 1:1 invariant, and used the inflated balance to redeem real NFTs from the protocol's pools. 0xQuit publicly described the exploit primitive on June 8 as turning "a dust amount of WETH into a near-infinite fpToken balance" capable of draining Flooring pools.

Yuga Labs CEO Michael Figge said the company's response team — 0xQuit, security researcher Coffee, with NFT liquidity desk GrailsOTC fronting the WETH and NFTs needed to execute the rescue txs — pulled exposed assets out of the affected pools before they could be redeemed by the attacker.

On-chain inventory

The NFTs Yuga Labs now holds in custody after the whitehat operation, as listed by Figge:

Rescued by Yuga Labs whitehat operation (68 NFTs total)
- Bored Ape Yacht Club (BAYC)      : 29
- Mutant Ape Yacht Club (MAYC)     :  4
- Bored Ape Kennel Club (BAKC)     :  1
- CryptoPunks                      :  2
- Azuki                            :  1
- Elementals                       :  2
- Captainz                         : 26
- Moonbirds                        :  1
- Doodles                          :  2
Stated value (0xQuit)              : > $500,000
Operating contract (Etherscan label "flooring-protocol.eth"):
  0x3eb879cc9a0Ef4C6f1d870A40ae187768c278Da2
Periphery contract:
  0x8ad7892f15e6a3a1c0eecf83c30f414227434540

The two protocol addresses are the on-chain entry points where the bug was exploited — anyone wanting to verify the redemption pattern can pull token transfer history from those contracts on a public explorer. Yuga said it will return the rescued NFTs to their rightful holders once Flooring's developers ship a fix and the contracts are safe to reopen.

Mechanism — packed ownership + unchecked balance update

The post-mortem language from 0xQuit and security researcher Coffee describes a textbook NFT-fractionalization bug:

  1. Flooring's ownership-and-indexing logic packs token IDs in a way that lets a crafted ID pass the ownerOf/balance check on entry…
  2. …but produce an inconsistent record in the later accounting step, creating a "ghost ownership" entry.
  3. An unchecked balance update then underflows, leaving the attacker with an enormous fpToken balance not backed by deposits.
  4. With the inflated balance the attacker can push fpToken prices to near-zero against the pool curve, then redeem fpToken for the underlying NFTs in the vault — siphoning real assets out for a marginal cost.

The attacker has already redeemed some NFTs before the whitehat path closed the door; Yuga did not claim a full recovery, only that they pulled the at-risk slice from the most-exposed pools.

Impact and what to watch

  • Stop using Flooring until the contracts are patched. 0xQuit explicitly warned holders not to deposit additional NFTs into Flooring pools until developers publish a fix. The contracts cited above remain the addresses to revoke approvals against.
  • Approvals to revoke. Any wallet that has previously approved the FlooringPeriphery contract for token transfers should revoke that approval until Flooring's team publishes a patched deployment address.
  • Return mechanism. Yuga said the 68 rescued NFTs are held in custody, not transferred. The return path will likely require Flooring's team to identify the rightful owners (token IDs map back to the original depositors) and Yuga to release on that basis.
  • GrailsOTC's role. That a centralized OTC desk had to front the WETH+NFTs to execute the rescue is a reminder that whitehat operations on Ethereum are still rate-limited by who has liquidity at hand, not by what's technically possible.

Context — second NFT-fractionalization bug Flooring has had in 18 months

Flooring Protocol was hit by a separate exploit in October 2024 — a roughly $1.5M loss at the time — that surfaced via a flawed authorization check on the redeem path. Today's incident is a different class of bug (the fractional-token mint side rather than the redemption authorization side), but the broader pattern — NFT-fractionalization protocols ship intricate accounting and discover invariant breaks the hard way — is now consistent across Flooring, Tessera, NFTX and the Floor Protocol contemporary set. Each whitehat rescue is also a reminder of who in the NFT ecosystem still has the engineering bandwidth to organize one: in this case, the same Yuga Labs team that ships BAYC.

Sources:

Related stories