Yuga Labs-linked white hats rescued 68 NFTs price over $500,000 from an exploit on Flooring Protocol on June 8, 2026, after a flaw within the protocol’s accounting mechanism allowed an attacker to inflate fpToken balances, drain liquidity swimming pools, and alternate tokens for NFTs locked within the contract.
The flaw was not restricted to a single remoted pool. It resided throughout the contract mannequin that converts locked NFTs into fungible tokens, leaving each FloorProtocol V2 and BitmapPunks affected.
What Occurred
The exploit focused the mechanism that permits NFTs locked inside Flooring Protocol to be represented by fungible tokens. In keeping with 0xQuit, VP of Blockchain at Yuga Labs, the attacker used a really small quantity of WETH to generate a near-infinite fpToken steadiness, thereby draining liquidity from Flooring swimming pools.
After a number of swimming pools had been drained, one other handle continued to make the most of the token value being pushed down to close zero to purchase low cost tokens, redeem them for the underlying NFTs, and promote them. The evaluation workforce later found a further associated exploitation path that would have an effect on different swimming pools, together with these containing higher-value NFTs.
FreeLunchCapital, the architect behind the FloorProtocol V2 and BitmapPunks contracts, acknowledged that BitmapPunks was additionally affected as a result of it used the same contract construction. Each used a mannequin the place fungible tokens are pegged 1:1 with NFTs locked within the contract, permitting customers to transform backwards and forwards between tokens and NFTs.
A Flooring exploit immediately turned a mud quantity of WETH right into a near-infinite fpToken steadiness, permitting the attacker to empty Flooring swimming pools.
This led to a followup opportunist scooping up tokens from the now depleted swimming pools and exchanging them for underlying NFTs.
1/🧵
— Stop (@0xQuit) June 8, 2026
In keeping with 0xQuit, the high-value swimming pools had not been attacked primarily resulting from a scarcity of liquidity on Uniswap. As soon as the white hat workforce recognized that the exploitation methodology could possibly be utilized to different susceptible swimming pools, they determined to execute the rescue instantly to mitigate the danger of one other attacker front-running them.
White Hat Response
Michael Figge, CEO of Yuga Labs, acknowledged that the workforce accomplished a white-hat operation on Flooring Protocol. The belongings secured into custody embrace 29 Bored Apes, 4 Mutant Apes, 1 Bored Ape Kennel Membership, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and a couple of Doodles, bringing the entire variety of rescued NFTs to 68.
On this marketing campaign, 0xQuit straight recovered these NFTs. Coffeedev found the danger that would unfold to different Flooring collections corresponding to BAYC and CryptoPunks, whereas GrailsOTC supplied the upfront funds and NFTs required for the rescue.
0xQuit acknowledged that the rescue contract utilized the identical set of flaws defensively to maneuver the at-risk NFTs out of Flooring swimming pools earlier than different attackers may exploit them. The rescued NFTs are valued at over $500,000 and are presently being held to work with related events to return them to their rightful house owners.
How The Exploit Labored
In keeping with 0xQuit, the exploit stemmed from how Flooring Protocol data NFT possession after the NFTs are locked and represented by fpTokens. The exploit mechanism occurred within the following sequence:
Creating an entry level: The attacker used a purposefully generated token ID to make the contract affirm possession as if it had been legitimate.Skewing the accounting: This token ID prompted the possession verify and inner bookkeeping to file mismatched information, making a state of “ghost possession.”Inflating the steadiness: Because the attacker continued to switch or unwrap/burn tokens, subtractions that weren’t correctly checked underflowed, wrapping the fpToken steadiness right into a near-infinite quantity.Draining worth from swimming pools: With the inflated steadiness, the attacker may drive the pool value down to close zero, drain liquidity, and alternate tokens for the underlying NFTs.
FreeLunchCapital additionally acknowledged that the flaw was positioned throughout the bit-level code optimized to scale back fuel charges, which had slipped by way of a number of rounds of safety critiques.
What Stays Unresolved
The incident continues to be not thought-about absolutely resolved. A number of NFTs stay within the arms of the exploiters, whereas the 68 rescued NFTs are presently in custody in preparation for return to their rightful house owners. 0xQuit additionally warned customers to not deposit extra NFTs into Flooring Protocol, as newly deposited belongings may turn into susceptible instantly.
Yuga Labs acknowledged it’s going to coordinate with protocol builders, with the potential want for contract relaunches, token reassurances, or different measures to make sure the return course of doesn’t create extra dangers. On the operational aspect, FreeLunchCapital mentioned they’re working to regain management from the mum or dad group of the administration workforce, whereas coordinating with safety groups and exchanges to hint extracted funds and belongings.
Broader Context
The Flooring Protocol incident additionally highlights the dangers of techniques that convert NFTs into fungible liquidity. When NFTs are locked in a contract and represented by tokens, customers will not be solely uncovered to market dangers but in addition rely upon the protocol’s accounting logic, possession, redemption processes, and liquidity design.
This threat is especially notable as a result of the rescue checklist contains main collections like BAYC and CryptoPunks. If these belongings had been to be redeemed and offered by attackers, the affect may prolong past Flooring Protocol, particularly for fractionalization tasks using comparable contract buildings.
