Yuga Labs-linked white hats rescued 68 NFTs worth over $500,000 from an exploit on Flooring Protocol on June 8, 2026, after a flaw in the protocol’s accounting mechanism allowed an attacker to inflate fpToken balances, drain liquidity pools, and exchange tokens for NFTs locked in the contract.
The flaw was not limited to a single isolated pool. It resided within the contract model that converts locked NFTs into fungible tokens, leaving both FloorProtocol V2 and BitmapPunks affected.
What Happened
The exploit targeted the mechanism that allows NFTs locked within Flooring Protocol to be represented by fungible tokens. According to 0xQuit, VP of Blockchain at Yuga Labs, the attacker used a very small amount of WETH to generate a near-infinite fpToken balance, thereby draining liquidity from Flooring pools.
After several pools were drained, another address continued to take advantage of the token price being driven down to near zero to buy cheap tokens, redeem them for the underlying NFTs, and sell them. The analysis team later discovered an additional related exploitation path that could affect other pools, including those containing higher-value NFTs.
FreeLunchCapital, the architect behind the FloorProtocol V2 and BitmapPunks contracts, stated that BitmapPunks was also affected because it used a similar contract structure. Both used a model where fungible tokens are pegged 1:1 with NFTs locked in the contract, allowing users to convert back and forth between tokens and NFTs.
A Flooring exploit today turned a dust amount of WETH into a near-infinite fpToken balance, allowing the attacker to drain Flooring pools.
This led to a followup opportunist scooping up tokens from the now depleted pools and exchanging them for underlying NFTs.
1/🧵
— Quit (@0xQuit) June 8, 2026
According to 0xQuit, the high-value pools had not been attacked primarily due to a lack of liquidity on Uniswap. Once the white hat team identified that the exploitation method could be applied to other vulnerable pools, they decided to execute the rescue immediately to mitigate the risk of another attacker front-running them.
White Hat Response
Michael Figge, CEO of Yuga Labs, stated that the team completed a white-hat operation on Flooring Protocol. The assets secured into custody include 29 Bored Apes, 4 Mutant Apes, 1 Bored Ape Kennel Club, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles, bringing the total number of rescued NFTs to 68.
In this campaign, 0xQuit directly recovered these NFTs. Coffeedev discovered the risk that could spread to other Flooring collections such as BAYC and CryptoPunks, while GrailsOTC provided the upfront funds and NFTs required for the rescue.
0xQuit stated that the rescue contract utilized the same set of flaws defensively to move the at-risk NFTs out of Flooring pools before other attackers could exploit them. The rescued NFTs are valued at over $500,000 and are currently being held to work with relevant parties to return them to their rightful owners.
How The Exploit Worked
According to 0xQuit, the exploit stemmed from how Flooring Protocol records NFT ownership after the NFTs are locked and represented by fpTokens. The exploit mechanism occurred in the following sequence:
- Creating an entry point: The attacker used a purposefully generated token ID to make the contract confirm ownership as if it were valid.
- Skewing the accounting: This token ID caused the ownership check and internal bookkeeping to record mismatched data, creating a state of “ghost ownership.”
- Inflating the balance: As the attacker continued to transfer or unwrap/burn tokens, subtractions that were not properly checked underflowed, wrapping the fpToken balance into a near-infinite number.
- Draining value from pools: With the inflated balance, the attacker could drive the pool price down to near zero, drain liquidity, and exchange tokens for the underlying NFTs.
FreeLunchCapital also stated that the flaw was located within the bit-level code optimized to reduce gas fees, which had slipped through multiple rounds of security reviews.
What Remains Unresolved
The incident is still not considered fully resolved. Several NFTs remain in the hands of the exploiters, while the 68 rescued NFTs are currently in custody in preparation for return to their rightful owners. 0xQuit also warned users not to deposit more NFTs into Flooring Protocol, as newly deposited assets could become vulnerable immediately.
Yuga Labs stated it will coordinate with protocol developers, with the potential need for contract relaunches, token reassurances, or other measures to ensure the return process does not create additional risks. On the operational side, FreeLunchCapital said they are working to regain control from the parent group of the management team, while coordinating with security teams and exchanges to trace extracted funds and assets.
Broader Context
The Flooring Protocol incident also highlights the risks of systems that convert NFTs into fungible liquidity. When NFTs are locked in a contract and represented by tokens, users are not only exposed to market risks but also depend on the protocol’s accounting logic, ownership, redemption processes, and liquidity design.
This risk is particularly notable because the rescue list includes major collections like BAYC and CryptoPunks. If these assets were to be redeemed and sold by attackers, the impact could extend beyond Flooring Protocol, especially for fractionalization projects utilizing similar contract structures.
