Yuga Labs Responds to Security Breach
In a prompt response to a recent security breach impacting Flooring Protocol, Yuga Labs successfully orchestrated a rescue mission to safeguard high-value non-fungible tokens (NFTs) at risk. CEO Michael Figge announced that the assets, which include 29 Bored Apes, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, and 2 Doodles, have now been secured under the company’s protection.
The Incident Unfolds
The incident unfolded on June 8, when an exploit was detected in Flooring Protocol, leading to significant vulnerabilities for various NFT collections. Figge explained that some NFTs were already compromised before uncovering an associated risk pathway. He stated,
“We’ve just finished a whitehat operation on an exploit discovered in Flooring Protocol.”
Rescue Operation Details
The rescue operation was led by Yuga Labs’ blockchain expert, known as 0xQuit, alongside security researcher Coffee. Financial backing to facilitate the movement of at-risk assets was provided by GrailsOTC, ensuring these NFTs were withdrawn from precarious pools.
Understanding the Vulnerability
According to 0xQuit, the vulnerability allowed attackers to convert a minimal amount of Wrapped Ether (WETH) into an excessively inflated balance of fpTokens. This enabled them to deplete the Flooring Protocol pools and retrieve the underlying NFTs. The exploit stemmed from flaws in ownership and indexing logic, which created what 0xQuit referred to as “ghost ownership.” As a result, an unchecked balance update led to a subtraction underflow, significantly boosting the attacker’s balance and allowing them to manipulate token prices to near zero, facilitating liquidity extraction from the pool.
Widespread Repercussions
The repercussions of this exploit were widespread, impacting both FloorProtocol V2 and BitmapPunks, as these projects utilized similar contract structures where fungible tokens were directly linked to NFTs locked in their contracts. Flooring Protocol’s representative 0xFreeLunch stated,
“Despite multiple rounds of security reviews,”
a vulnerability was overlooked, resulting in illegitimate minting and redeeming of tokens.
Warnings and Future Concerns
Despite successfully rescuing NFTs valued over $500,000, 0xQuit cautioned users against depositing any additional NFTs into Flooring Protocol, warning that doing so could expose their new assets to similar risks. Concerns over the exploit remain, as some NFTs are still believed to be in the hands of attackers.
Ongoing Security Issues
This incident is particularly concerning given Flooring Protocol’s ongoing issues with security; a prior exploit had already resulted in a loss of approximately $1.5 million. The architect behind Flooring Protocol took accountability for the contract’s design flaws, which originated from efforts to optimize performance at the coding level. The team expressed commitment to tracking the stolen assets while coordinating with security firms and exchanges.
Threats to Bored Ape Yacht Club NFTs
This event also underscores the persistent threat to Bored Ape Yacht Club (BAYC) NFTs. Just last May, a trader suffered a loss of three Bored Apes valued over $145,000 in a separate phishing incident associated with a scam artist known as Pink Drainer.
