Yuga Labs Rescues 68 NFTs After Flooring Protocol Hack

Whitehat Mechanics and Custody

0xQuit said the rescued NFTs were worth more than $500,000. The operation required Yuga Labs to front money and tokens to outbid attackers or pull funds from compromised pools before the exploiters could.

0xQuit warned users not to deposit any more NFTs into Flooring Protocol, saying newly deposited assets could become vulnerable. He also said the exploit was not fully resolved because attackers still held some NFTs.

Protocol Accountability

Flooring Protocol's architect said he takes responsibility for the contract design. He said the vulnerability came from gas-saving bit-level code that escaped earlier security reviews.

The team is now tracing extracted assets and working with security teams and exchanges.

What this means: If Flooring Protocol does not fully redeploy and test new contracts, any deposited NFT remains at risk of the same underflow exploit applied in a different direction.

Exposed Assets and Market Impact

Affected Collections and Their Value

The 68 NFTs at risk include some of the most liquid and expensive collections on Ethereum. Yuga Labs holding them in custody prevents a forced dump that could depress floor prices across the top collections.

Flooring Protocol lets users fractionalize NFTs into fungible tokens. That mechanic has drawn traders who want liquidity without selling the underlying NFT. A vulnerability that mints infinite tokens and drains the pool breaks the trust model for any NFTFi protocol.

In May 2024, an NFT trader lost three Bored Apes worth over $145,000 in a phishing attack linked to Pink Drainer. That event showed that BAYC holders remain a target for social engineering. This rescue operation shows they are also a target for protocol-level flaws.

Confirmation Checklist and What Happens Next

What Would Confirm the Risk Has Passed

• Full contract redeployment: A fix that pauses deposits alone would not close the ghost ownership vector. The contracts must be rewritten with separate ownership checks and balance arithmetic.
• Second audit with bit-level focus: The previous audits missed packed-logic flaws. A new audit must specifically examine gas-saving bit operations.
• Exchange fund freezes: Flooring Protocol's team is working with exchanges to trace extracted funds. If the exchange freezes stolen crypto, some assets may return.

What Would Make It Worse

• Second attacker exploits remaining pools: 0xFreeLunch warned the attack surface was larger than the first attacker knew. A second attacker hitting other pools could drain more assets.
• Delayed return of rescued NFTs: Yuga Labs holds the NFTs in custody, not in a vault or third-party multisig. If custody gets disputed or delayed, owners cannot trade or use their assets.
• Repeated gas-optimization errors: Flooring Protocol's architect said the vulnerability came from gas-saving code. Any new deployment that prioritizes gas savings over security replicates the same failure mode.

Risk to watch: The rescued NFTs are now in Yuga Labs custody. The company's reputation for responding to BAYC-related exploits is established, custody introduces its own execution risk if return of assets gets delayed or disputed.

Flooring Protocol's architect accepted responsibility for the design. That admission is rare in crypto exploits and suggests the team is focused on fixing the contracts rather than deflecting blame. The recovery timeline depends on how fast they can write, audit, and deploy new code without repeating the gas-optimization mistake that created the hole.

For traders holding NFTs in any protocol with bit-packed accounting or fractionalization logic, the lesson is to verify that the contract separates ownership checks from balance arithmetic. One function handling both means the ghost ownership vector is live.