NFT & Gaming

Flooring Protocol Exploit Put Bored Apes, CryptoPunks NFTs at Risk

Denis O.

8 June 2026 3 min read

A Flooring Protocol exploit let an attacker turn a small amount of wrapped ETH▲$1,683.71 into a near-infinite token balance and drain NFT pools.

A bug in Flooring Protocol, an NFT liquidity platform where users lock NFTs and trade tokens tied to those assets, let attackers drain pool assets before Yuga Labs, the company behind Bored Ape Yacht Club, stepped in to rescue dozens of still-exposed NFTs.

Michael Figge, chief executive officer of Yuga Labs, said in an X post on Monday that the company had completed a “whitehat operation” after an exploit was found in Flooring Protocol.

We’ve just finished a whitehat operation on an exploit discovered in Flooring Protocol.

Now safely in the custody of Yuga Labs:

29 bored apes
4 mutant apes
1 bakc
2 cryptopunks
1 azuki
2 elementals
26 captains
1 moonbird
2 doodles@0xQuit, our VP of Blockchain recovered the…
— figge (@mfigge) June 8, 2026

The recovered assets, including nearly 30 Bored Ape Yacht Club NFTs, four Mutant Ape Yacht Club NFTs, one Bored Ape Kennel Club NFT, two CryptoPunks, and others, are now in Yuga Labs custody, according to Figge.

That brings the rescue to 68 NFTs. Based on June 7 floor-price estimates, the assets were worth about 346 ETH, or at least $570,000, per data from price aggregators.

Contents

1.How the Exploit Worked
2.Other NFTs Got Hit Too

How the Exploit Worked

Yuga Labs’ vice president of blockchain, known as “Quit,” said the Flooring Protocol exploit turned a small amount of wrapped ETH into a near-infinite fpToken balance, allowing the attacker to drain Flooring pools.

Flooring Protocol lets users deposit NFTs and receive fungible claim tokens tied to the locked assets. In this case, the attacker was able to create more claim tokens than they should have had, then use those tokens to pull NFTs from the pools.

A Flooring exploit today turned a dust amount of WETH into a near-infinite fpToken balance, allowing the attacker to drain Flooring pools.

This led to a followup opportunist scooping up tokens from the now depleted pools and exchanging them for underlying NFTs.

1/🧵
— Quit (@0xQuit) June 8, 2026

Quit said the first attacker was followed by an opportunistic trader, who bought cheap tokens from the already-drained pools and exchanged them for underlying NFTs, which were then sold.

After reviewing the bug more closely, CoffeeDev, a whitehat security researcher, found another related exploit path that could have put more Flooring collections at risk, including Bored Ape Yacht Club and CryptoPunks.

Quit said the first exploit didn’t hit those collections only because their Uniswap pools didn’t have enough liquidity.

Other NFTs Got Hit Too

FreeLunchCapital, the architect of the affected contracts, said the exploit hit FloorProtocol V2 and BitmapPunks, an NFT project using a similar contract design. Both systems used fungible tokens pegged one-to-one to NFTs locked in their contracts.

1/
Today, an exploit occurred affecting FloorProtocol V2 and BitmapPunks.

Both projects share a similar core contract structure: all fungible tokens issued are pegged 1:1 to the NFTs locked in the contract, allowing users to convert back and forth freely.
— FreeLunchCapital (@0xFreeLunch) June 8, 2026

The same attack vector was used against BitmapPunks and drained liquidity pools supplied by the team, FreeLunchCapital added.