Yuga Labs, the company behind Bored Ape Yacht Club and CryptoPunks, completed a covert whitehat operation on June 8 to rescue 68 blue-chip NFTs — worth more than $500,000 — from an active exploit targeting Flooring Protocol, deploying its own funds and acting before additional attackers could drain assets that included some of the most valuable tokens in NFT history.
The operation was funded through GrailsOTC, Yuga Labs’ over-the-counter trading desk — which Figge said he “quietly instructed” to front the capital and NFTs needed to pull the at-risk assets out of the protocol before additional bad actors could act on the same vulnerability. The company plans to return all 68 NFTs to their original owners once a technical fix has been deployed and verified.
How The Crypto Exploit WorkedThe deeper vulnerability, per 0xQuit’s post, came from packed ownership and indexing logic — a technical design choice where a malicious token ID could make ownership verification checks pass while downstream accounting recorded a different result entirely, creating what he described as “ghost ownership.” An unchecked balance update then caused an arithmetic underflow, handing the attacker a balance far larger than legitimately entitled. Once that inflated balance was in place, token prices could be pushed near zero and liquidity extracted from the pool at will.
After reviewing the initial attack path, Yuga Labs’ team identified a second, broader vulnerability that exposed additional NFT pools not yet touched by the original attacker. That discovery triggered the emergency whitehat operation — the team moved to pull all at-risk assets before another actor could find and exploit the same second path independently.
Flooring Protocol had already been winding down its consumer-facing NFT services since September 2025 — the platform advised FPv2 token holders to redeem assets and exit fractional positions before October of that year. Yet its smart contracts remained live with user assets inside, creating exactly the kind of legacy exposure that attackers increasingly target in aging DeFi infrastructure.
0xQuit warned on X that some NFTs remain under attacker control and urged all users to avoid depositing additional NFTs into Flooring Protocol until a verified fix is deployed. CryptoPunks — two of which were among the rescued assets — currently carry a floor price of approximately 32.7 ETH, or roughly $54,612 per token, while BAYC NFTs sit around 9.16 ETH, per CoinGecko data.
This development marks a pivotal and unusual moment for the nascent sector’s approach to DeFi security. A blue-chip NFT company deploying its own balance sheet to rescue third-party assets from an active exploit — unprompted, at speed, and at cost — is a form of ecosystem responsibility the space rarely sees. The question the industry will now ask is how many other aging protocols still carry similar vulnerabilities in their legacy contracts, waiting for the attacker who finds the second path before anyone else does.
Cover image from Grok, ETHUSD chart from Tradingview
