We miss the old NFT days. Back when a Bored Ape on your timeline actually meant something, and a mint felt like a proper Friday night event. These days we mostly watch from the sidelines — but the radar stays on, for the good news and the bad. Flooring Protocol happens to be one of those platforms we used ourselves a while back. And yesterday, it got hit.
The flooring protocol exploit drained liquidity pools, turned a few cents of WETH into a near-infinite token balance, and put a stack of blue-chip NFTs in the line of fire. What stopped it from becoming a clean six-figure heist? A fast white-hat operation led by Yuga Labs.
Let’s break down what happened, why it matters for anyone holding assets in older protocols, and the one uncomfortable trend we think this confirms.
What Actually Happened
On June 8, Yuga Labs pulled 68 NFTs out of harm’s way before attackers could finish draining them. Combined value? Over $500,000.
The recovered haul reads like a museum wing of NFT history: 29 Bored Apes, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles. Those 29 Bored Apes alone were worth roughly $441,000, making them the heaviest single line in the rescue.
Yuga CEO Michael Figge confirmed the operation wrapped successfully. All 68 assets now sit in Yuga’s custody, waiting to go back to their rightful owners once Flooring ships a proper fix.
Quick Beginner Explainer: What Is Flooring Protocol?
If you never touched it, here’s the simple version.
Flooring Protocol is an NFT liquidity platform. You lock an NFT into the protocol, and in return you get fungible “fpTokens” pegged one-to-one against that deposit. Think of it as turning an illiquid JPEG into a tradable token you can move, sell, or swap without finding a direct buyer for the actual art.
That mechanism is genuinely useful. It’s also exactly where things went sideways.
How the Flooring Protocol Exploit Worked
I’ll keep this jargon-light, because the bug itself is sneaky but the idea is simple.
According to Yuga’s VP of Blockchain — known on-chain as 0xQuit — the attacker exploited flawed “packed” accounting logic inside the smart contract. A maliciously crafted token ID created what he called a “ghost ownership” state. Picture a token that passes the ownership check under one reading, while the protocol’s internal bookkeeping quietly disagrees about who owns what.
From that mismatch, two unchecked underflows kicked in. An underflow is basically a counter rolling backwards past zero and wrapping around to an enormous number — like a car odometer flipping from 000000 to 999999. Suddenly the attacker’s fpToken balance was astronomical, all from a dust-sized amount of WETH to start.
What came next was mechanical. Prices on the fpTokens got dumped toward zero, the liquidity pools were drained, and the underlying NFTs got redeemed out the back door. Flooring V2 and BitmapPunks both took damage in the process.
Why Yuga Labs Stepped In
Here’s the part that turned a bad day into a near-disaster.
Researchers traced a second attack path that exposed higher-value pools — the blue-chip stuff. Those collections had survived the first wave for one boring reason: their pools held very little liquidity. Leave it long enough, though, and someone would have come back to finish the job.
The floors made the stakes obvious. Bored Apes were sitting near 8.95 ETH (~$15,121) and CryptoPunks above 32 ETH (~$55,248) on the day, per CoinGecko. Multiply that across dozens of assets and you understand why alarm bells went off across crypto security circles within hours.
Figge said he told Yuga’s OTC desk, GrailsOTC, to front the capital and NFTs needed to yank at-risk assets out of the vulnerable pools. The team then deployed a defensive contract that weaponized the same bug class — using the exploit’s own logic to rescue the assets before the bad actors could. Security researcher Coffee chipped in throughout the operation too.
One detail that stings: Flooring entered “sunset mode” last year, and its NFT side was left largely unmanaged. The protocol’s original architect — posting as 0xFreeLunch — had stayed on as a liquidity provider and lost his own assets in the attack. He took public responsibility and blamed gas-optimized, bit-level code that hid the flaw from multiple audits.
Worth noting: this isn’t Flooring’s first rodeo. An earlier breach reportedly cost the protocol around $1.5 million in NFTs.
The Part That’s Keeping Me Up: AI Is Now Hunting Exploits
This is where I want to connect some dots.
Last week we covered the ZEC / Zcash Orchard vulnerability, where the flaw was reportedly surfaced with the help of Opus 4.8. At the time, I had a hunch — and I’ll just say it plainly now. We’re entering a phase where attackers point advanced AI models at existing, audited protocols and let them grind through the code looking for edge cases no human reviewer caught.
Flooring fits that pattern uncomfortably well. The protocol’s own architect said he suspects the attacker used advanced AI tooling, purely because of how complex and precise the exploit chain was. A bug that slipped past several audits, hidden inside gas-saving bit-level optimizations, getting found and chained anyway? That’s not a coincidence I’m comfortable with.
We dug into this exact risk in our piece on AI-driven crypto exploits. The short version: “audited” no longer means “safe.” It means a contract survived the tools that existed when it was reviewed. AI moves the goalposts, and old code doesn’t get the memo.
Stuff Nobody Tells Beginners
A few honest things that get glossed over in the hype:
- “Audited” is a snapshot, not a guarantee. Flooring passed multiple reviews and still got drained. Auditors check against known patterns at a point in time — they’re not psychic, and they’re not running 2026’s AI tooling on 2023’s assumptions.
- Dormant protocols are the soft targets. A platform in “sunset mode” with an unmanaged codebase is exactly the kind of place no one is watching closely. Attackers love that.
- A white-hat rescue is the exception, not the safety net. Yuga had the resources, the talent, and the motivation (it owns BAYC and CryptoPunks). Your random forgotten farm does not have a Yuga riding in to save it.
- The case isn’t closed. The exploiters still hold other stolen NFTs, and the vulnerability hasn’t been patched yet. 0xQuit’s warning was blunt — do not deposit any new NFTs into Flooring while the hole is open.
Support Our Work
If you found this helpful, consider signing up on OKX or Bybit using our referral links. Your support keeps this content free and flowing.
My Take
I’m not dunking on Flooring here. The architect owning the mistake publicly, and the team coordinating a rescue instead of going quiet, is honestly more accountability than most projects show.
But the lesson is bigger than one protocol. The combination of dormant code plus AI-assisted attackers is a genuinely new threat profile. We’re going to see more of these — not fewer — over the next year. Flooring just happened to be early.
What You Should Do Right Now
No fear-mongering, just practical housekeeping. Safety first.
If you’ve got funds or NFTs parked in older protocols that haven’t shipped a meaningful upgrade in the last six months, take the safe route and pull them out. Stale code is the highest-risk code. A platform that’s quietly stopped maintaining itself is not a place you want assets sitting in 2026.
And don’t forget the step everyone skips: revoke old token approvals and contract permissions. Tools like Revoke.cash let you see every contract that still has access to your wallet. Half the danger isn’t where your assets sit today — it’s the forgotten approval you signed two years ago that’s still live. Clean those out.
Withdraw. Revoke. Sleep better.
Final Words
The flooring protocol exploit could have been a brutal, headline-grabbing NFT heist. Instead it became a case study in fast, coordinated white-hat work — and a loud warning shot about where attacks are heading.
Treat it as a nudge. Check your wallets, exit the protocols nobody’s maintaining anymore, and revoke the approvals you forgot about. The old NFT days were fun, but the new threats are smarter. Stay sharp.
If you enjoyed this blog, you may want to check out our guide to Pump Funs’ new Bounty Platform.
For everyone interested in IPOs, Bybit launched IPO Express, starting with SpaceX; details below. See you next time!
Disclaimer: This article is for informational purposes only and is not financial advice. Crypto and NFTs are volatile and risky — always do your own research. AirdropAlert may earn a commission through referral links.
FAQ
What was the Flooring Protocol exploit? A bug in Flooring’s smart contract let an attacker mint a near-infinite balance of fpTokens from a tiny amount of WETH. Faulty “packed” ownership logic created a ghost-ownership mismatch, which triggered underflows and drained the protocol’s NFT liquidity pools.
How many NFTs did Yuga Labs recover, and what were they worth? Yuga rescued 68 NFTs valued at more than $500,000 — including 29 Bored Apes, 2 CryptoPunks, 4 Mutant Apes, plus Azuki, Doodles, a Moonbird, and others.
Who helped with the rescue? Yuga’s OTC desk GrailsOTC fronted the capital and NFTs, blockchain lead 0xQuit engineered the defensive contract, and security researcher Coffee assisted throughout.
Is it safe to deposit into Flooring Protocol now? No. The vulnerability hasn’t been patched, and 0xQuit explicitly warned holders not to deposit any new NFTs until an official fix is live.
Did the attacker really use AI? It’s not confirmed, but Flooring’s own architect suspects advanced AI tooling was involved, given how complex the exploit chain was — which lines up with the AI-assisted exploit trend we’ve been flagging.
Credit: Source link
