Yuga Labs, the company behind Bored Ape Yacht Club, executed a white-hat rescue operation, pulling 68 high-value NFTs out of Flooring Protocol after a critical smart contract vulnerability was discovered.
CEO Michael Figge confirmed the operation via X, calling it a strategic intervention to protect assets worth over $500,000. The haul included 29 BAYC NFTs, 4 Mutant Ape Yacht Club pieces, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, 2 Doodles, and 1 BAKC.
The vulnerability centered on a critical flaw in how Flooring Protocol's smart contracts tracked ownership. The bug allowed attackers to create inflated fpToken balances using minimal Wrapped Ether deposits. The research community dubbed this 'ghost ownership.'
The exploit mechanism meant that someone with a trivially small WETH deposit could trick the protocol into thinking they held significant claims on NFTs locked in its liquidity pools.
Credit for identifying the vulnerability goes to CoffeeDev, a researcher who spotted the flaw before it could be weaponized at scale.
The operation was led by 0xQuit, Yuga Labs' Vice President of Blockchain, who coordinated the technical side of pulling the NFTs out of the vulnerable protocol. Supporting the effort was GrailsOTC, Yuga's over-the-counter trading desk, which handled the funding and asset recovery logistics.
No user losses were reported among the NFTs that were successfully recovered. All 68 rescued assets are currently held in Yuga Labs' custody and will be returned to their rightful owners once Flooring Protocol resolves the underlying issue.
Flooring Protocol sits at the intersection of DeFi and NFTs. Fractionalization protocols promise to make illiquid NFTs more tradeable by splitting them into fungible tokens, but complexity is where bugs live.
Yuga Labs has indicated it intends to work with Flooring Protocol's developers to fix the identified vulnerabilities.