Yuga Labs rescues 68 at-risk NFTs from Flooring Protocol exploit

Yuga Labs just played firefighter for the NFT world. The company behind Bored Ape Yacht Club executed a white-hat rescue operation, pulling 68 high-value NFTs out of Flooring Protocol after a critical smart contract vulnerability was discovered.

CEO Michael Figge confirmed the operation via X, calling it a strategic intervention to protect assets worth over $500K. The haul included 29 BAYC NFTs, 4 Mutant Ape Yacht Club pieces, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, 2 Doodles, and 1 BAKC.

The bug that created ghost owners

The vulnerability centered on a critical flaw in how Flooring Protocol’s smart contracts tracked ownership. The bug allowed attackers to create inflated fpToken balances using minimal Wrapped Ether deposits, essentially conjuring ownership stakes out of thin air. The research community dubbed this “ghost ownership.”

The exploit mechanism meant that someone with a trivially small WETH deposit could trick the protocol into thinking they held significant claims on NFTs locked in its liquidity pools, potentially draining entire pools of blue-chip assets.