68 NFTs rescued as Yuga Labs moves on Flooring exploit
Last updated: June 9, 2026
A quiet Sunday in the NFT market turned into a rescue mission when high-value digital collectibles sitting inside Flooring Protocol were suddenly exposed. Yuga Labs-affiliated white hats moved fast, pulling 68 NFTs into custody after a vulnerability put assets from collections including Bored Ape Yacht Club and CryptoPunks at risk. The rescued tokens were valued at more than $500,000, with one source putting the figure at about $570,000. Yuga Labs says the assets will be returned to their rightful owners once a recovery process and technical fix are finalised.

How Events Unfolded
The incident centred on Flooring Protocol, a liquidity project that allowed users to deposit NFTs into pools and receive fungible tokens that could be traded or later redeemed for the underlying asset. That model is designed to make expensive, hard-to-sell NFTs more liquid, but it also puts heavy trust in the protocol’s accounting logic.
According to the available reports, the exploit began with a flaw in how the protocol tracked ownership after NFTs were locked and represented by tokens. An attacker was able to use a very small amount of wrapped Ether, or WETH, to generate a near-infinite token balance. That inflated balance could then be used to drain liquidity pools and exchange tokens for NFTs held inside the contract.
The risk was not limited to one pool. The flaw was described as affecting FloorProtocol V2 and BitmapPunks because both used a similar structure in which fungible tokens were pegged one-to-one with NFTs locked in a contract. Once researchers identified another related path that could expose higher-value pools, Yuga Labs-linked white hats acted before another attacker could move first.
The rescued assets included 29 Bored Ape Yacht Club NFTs, 4 Mutant Ape Yacht Club NFTs, 1 Bored Ape Kennel Club NFT, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird and 2 Doodles. The company said the recovery used GrailsOTC, its over-the-counter desk, to supply the funds and NFTs needed to execute the operation quickly. Readers can review the source reporting on the Flooring Protocol exploit and Yuga’s emergency recovery.
Critical Details
The central issue was an accounting failure inside smart contracts that converted locked NFTs into fungible token claims. Reports describe a sequence where a generated token ID made the contract treat ownership as valid, created mismatched bookkeeping, and produced what researchers called ghost ownership.
That matters because these systems do not only depend on market demand. They also depend on exact redemption rules, pool liquidity and ownership records. If the accounting breaks, someone can appear to hold claims they should not have, then use those claims to pull value from the protocol.

FreeLunchCapital, described as the architect behind the FloorProtocol V2 and BitmapPunks contracts and a former Flooring Protocol chief executive, said the flaw was in bit-level code optimised to reduce gas fees and had passed through multiple rounds of security reviews. That detail is the uncomfortable lesson for NFT holders: lower transaction costs can come with technical complexity, and complexity creates more places for mistakes to hide.
The timing also matters. Flooring Protocol had already been winding down parts of its NFT operations after announcing in September 2025 that Web3 consumer services would enter sunset mode and advising holders to redeem NFTs and exit fractional positions before October 15, 2025. Reports said liquidity challenges and organisational changes left parts of the NFT division unmanaged, while assets kept on the platform to support exits became a key target.
Reactions & Responses
Yuga Labs CEO Michael Figge confirmed the white-hat operation through X, while Yuga’s vice president of blockchain, known as 0xQuit, described the technical reasoning behind the rescue. The company is now holding the recovered NFTs while it works with Flooring Protocol developers on a return process.
After digging deeper, we found another related exploit path that could be used against additional vulnerable Flooring pools.
0xQuit said the goal was to move exposed NFTs out of vulnerable pools before another malicious actor could use the same path. That distinction is central: the rescue contract reportedly used the same flaws defensively, but the assets were moved into custody rather than sold off.
The goal was to remove exposed NFTs from vulnerable Flooring pools before another malicious actor could exploit the same paths and extract them first.
Reports also credited CoffeeDev with spotting the risk that could spread to other Flooring collections, while GrailsOTC handled the operational side. FreeLunchCapital said work was underway to regain control from the parent group of the management team, while security teams and exchanges were being contacted to trace extracted funds and assets.
Putting It in Perspective
For Australian NFT collectors, the story is not just about Bored Apes or CryptoPunks. It is a reminder that custody and protocol design matter even when a token sits inside a well-known collection. If an NFT is deposited into a third-party liquidity system, the owner takes on the platform’s technical risk as well as the usual price risk.

The market backdrop makes that risk sharper. One report said NFT market capitalisation climbed to about $2 billion in late April and early May before retreating to roughly $1.4 billion. Another said Bored Apes once routinely traded above $300,000 in early 2022, while the top Ethereum NFT sales volume day in 2026 stood at $32.3 million, far below the more than $100 million daily levels once seen.
Even in a cooler market, major collections still carry serious value. Reports listed CryptoPunks at a floor price of about 32.7 ETH, or $54,612, and Bored Ape Yacht Club around 9.16 ETH, with other reporting putting Bored Apes above $15,000 and CryptoPunks around $55,000. That explains why a fast recovery mattered: a small smart contract flaw could have turned into a much bigger market hit if attackers had redeemed and sold the exposed NFTs.
Looking Ahead
The incident is not fully closed. Several NFTs reportedly remain in the hands of exploiters, while the 68 rescued NFTs are being held for return to their rightful owners. Yuga Labs has said it will work with Flooring Protocol developers, and reports said the fix may require contract relaunches, token reassurances or other measures to avoid creating new risks during the return process.
The most direct warning from the reporting is simple: users were told not to deposit more NFTs into Flooring Protocol because newly deposited assets could become vulnerable immediately. For anyone in Australia holding NFTs through fractionalisation or liquidity platforms, the practical takeaway is to check where the asset is custodied, how redemption works, and whether the protocol has announced a verified recovery path.
FAQ
What happened to Flooring Protocol?
Flooring Protocol was hit by an exploit involving its NFT-backed token accounting. The flaw allowed attackers to inflate token balances and drain value from vulnerable pools.
How many NFTs did Yuga Labs rescue?
Yuga Labs-linked white hats rescued 68 NFTs, including 29 Bored Apes, four Mutant Apes, two CryptoPunks and other Ethereum-based assets.
How much were the rescued NFTs worth?
The rescued NFTs were valued at more than $500,000, with one report placing the total at about $570,000.
Will owners get their NFTs back?
Yuga Labs says the recovered NFTs are in its custody and will be returned once a recovery process and technical solution are finalised.
Why does this matter for NFT holders in Australia?
It shows that depositing NFTs into liquidity or fractionalisation protocols adds smart contract and custody risk, even when the underlying NFT comes from a major collection.
Resources
Sources and references cited in this article.

