A rescue operation executed by the technology and Web3 company Yuga Labs allowed the recovery of 68 non-fungible tokens (NFTs) valued at more than USD 500,000, after a vulnerability in the DeFi platform, Flooring Protocol exposed assets belonging to some of the most recognized collections in the Ethereum ecosystem.
Among the recovered NFTs are 29 Bored Apes, two CryptoPunks, and four Mutant Apes. For now, These assets remain in Yuga’s temporary custody. while solutions are developed to correct the problems detected in the affected protocol.
The incident took place on Flooring Protocol, a platform designed to provide liquidity to the NFT market. Its operation allows users to lock NFTs and receive fpTokens backed by those assets. As they can be exchanged more easily, these tokens help to fractionate the value of NFTs and generate liquidity in a market that is usually not very dynamic due to the scarcity of buyers and the high prices of some collections. Although this model seeks to facilitate operations in a traditionally illiquid market, it can also generate risks when there are failures in the technical infrastructure.
According to the information released about the case, The attacker initiated the exploit using a small amount of wrapped ether (WETH). Due to a flaw in the protocol’s internal accounting, it managed to generate a practically unlimited amount of fpTokens, which allowed its value to plummet and empty several liquidity reserves.
How was the attack carried out?
The vice president of Yuga Labs, known under the pseudonym 0xQuitexplained that the vulnerability originated from a manipulated token identifier that caused a sort of “ghost property.” In practice, external ownership verifications continued to function, while internal accounting recorded different information. That discrepancy proved critical for a system whose security depends on the exact correspondence between deposited NFTs and issued tokens.
The failure was aggravated by the appearance of two type errors underflowa situation in which a mathematical operation generates unexpected results by exceeding the minimum limits allowed by the system, which ends up collapsing it. As a result, the attacker was able to artificially inflate its balance and manipulate the protocol’s internal economy to extract funds from its liquidity pools.
After analyzing the incident, Researchers identified a second avenue of attack which put much higher value NFTs at risk, including assets from top-tier collections. These were not affected in the first phase of the exploit because they were in reserves with less activity, which initially went unnoticed by the attacker.
The severity of the finding led Yuga Labs to quickly intervene. According to CEO Michael Figgeresources were mobilized through the GrailsOTC platform to finance a defensive operation. The team deployed a contract that exploited the same vulnerability used by the attackerbut with the aim of safekeeping the assets before they were stolen. This type of intervention is known in the industry as a “white hat” operation or white-hat.
The context also favored exploitation. The attack occurred over the weekend, when oversight of on-chain activity is typically lower, as the company indicated. Besides, Flooring Protocol It had been in a phase of progressive deactivation since the previous year and its division focused on NFT operated with limited management, a situation that increased exposure to a sophisticated attack.
The vulnerability went unnoticed
Yuga Labs assured that NFTs will be returned to their owners once a secure technical solution exists. The company highlighted this point to differentiate the operation from a unilateral appropriation of funds, a particularly sensitive issue within the ecosystem.
For his part, the original architect of Flooring Protocol, known under the pseudonym 0xFreeLunchtook responsibility for the incident. As he explained, the vulnerability would have gone unnoticed during audits because the code was highly optimized to reduce gas costs, a common practice on Ethereum that can make security review difficult.
The developer also revealed that it was a liquidity provider within the platform and that it lost its own assets during the attack. Furthermore, he raised the possibility that The person responsible would have used advanced artificial intelligence tools to identify or exploit the vulnerability, although so far there is no evidence to confirm this hypothesis.
The identity of the attacker remains unknown and part of the stolen NFTs continue out of the control of those affected. This means that although Yuga’s intervention managed to limit a significant portion of the losses, the case remains open.
The incident once again highlights the risks faced by NFT liquidity protocols and demonstrates that even the most prestigious collections can be affected by hidden errors in the infrastructure that supports them.