TLDR
- Yuga Labs moved quickly after researchers traced a Flooring Protocol exploit path threatening NFT pools.
- Recovered assets included Bored Apes, CryptoPunks, Doodles, Azuki, Moonbird, MAYC, BAKC, Elementals and Captains NFTs.
- GrailsOTC fronted funds and NFTs to remove exposed tokens before another attacker could act again.
- Packed ownership logic allowed ghost ownership states that broke internal accounting and enabled unsafe transfers.
- Yuga Labs plans coordination with protocol developers before returning recovered assets to verified rightful owners.
Yuga Labs completed a whitehat rescue operation after a Flooring Protocol exploit threat placed a group of high value NFTs at risk, according to information shared by company chief executive Michael Figge and Yuga Labs blockchain security lead 0xQuit.
The operation brought the exposed assets into Yuga Labs’ custody after researchers identified a related attack path that could have allowed additional Flooring Protocol pools to be drained. The rescued assets included 29 Bored Ape Yacht Club NFTs, four Mutant Ape Yacht Club NFTs, one Bored Ape Kennel Club NFT, two CryptoPunks, one Azuki, two Elementals, 26 Captains, one Moonbird and two Doodles.
Yuga Labs said its GrailsOTC trading desk supplied the funds and NFTs needed for the recovery effort, while the company plans to coordinate with Flooring Protocol developers before returning assets to rightful owners.
Whitehat Response Followed Earlier Flooring Protocol Exploit
The rescue followed an earlier Flooring Protocol exploit in which an attacker reportedly turned a small amount of wrapped ether into a near unlimited fpToken balance. That exploit allowed Flooring pools to be drained, while a later opportunist acquired discounted tokens from depleted pools and exchanged them for underlying NFTs that could then be sold.
According to 0xQuit, further review of the vulnerability showed that more valuable collections, including Bored Ape Yacht Club and CryptoPunks, remained exposed because their related Uniswap pools had limited liquidity during the earlier incident.
Yuga Labs completes whitehat rescue of high-value NFTs in Flooring Protocol exploit
Yuga Labs CEO Michael Figge said the team has completed a whitehat rescue operation for an exploit discovered in Flooring Protocol.
The rescued NFTs are now safely in Yuga Labs’ custody,… pic.twitter.com/ds7f3plmqE
— Wu Blockchain (@WuBlockchain) June 8, 2026
Once researchers identified that the same broad bug class could be used against those pools, Yuga Labs moved to remove the vulnerable NFTs before another actor could use the path.
Packed Accounting Bug Created Ghost Ownership Risk
The reported weakness involved Flooring Protocol’s packed ownership and indexing logic, which was tied to BT404-style accounting and token identifiers. In the described attack path, a maliciously crafted token ID could cause validation checks to read ownership as valid while later bookkeeping treated the same position differently, creating a state where protocol records no longer matched real ownership.
That mismatch created what 0xQuit described as ghost ownership, where ownership checks and list membership no longer agreed. Subsequent transfers could then behave unsafely, including unchecked balance reductions that wrapped rather than reverted.
The same type of unchecked subtraction also appeared in the unwrap and burn path, which allowed an attacker with no remaining fpToken balance to regain an effectively unbounded amount.
Recovered NFTs Await Protocol Coordination
Yuga Labs stated that the rescued NFTs are being held securely while the company works with Flooring Protocol developers on the process for returning them. Figge said possible next steps could involve contract relaunches, token reassurances within the protocol, or other measures agreed with the protocol team, although no final recovery structure was provided in the shared update.
The company also warned users not to deposit additional NFTs into Flooring Protocol while the vulnerability remains unresolved, because new deposits could become exposed to similar attack paths. 0xQuit said the rescued assets represented more than $500,000 in NFTs, while noting that exploiters still held some NFTs from the earlier activity and that the broader matter was not fully resolved.
Yuga Labs credited 0xQuit, CoffeeDev, GrailsOTC and other participants for identifying the threat and coordinating the whitehat response. The company presented the action as a defensive recovery designed to prevent more NFTs from being removed from vulnerable Flooring Protocol pools before developers could complete a fix.
