The Yuga Labs team recently announced that it conducted a white-hat operation to rescue 68 NFTs from being stolen over the weekend. Bad actors could have exploited a vulnerability in the Ethereum NFT liquidity platform, Flooring Protocol, to steal assets, but the team acted quickly and saved the collectibles.
According to a tweet from Yuga Labs CEO Michael Figge, the white-hat operation led to the recovery of 29 Bored Apes, 4 Mutant Apes, 1 Bored Ape Kennel Club, 2 CryptoPunks, and 1 Azuki. Additionally, the team rescued 2 Elementals, 1 Moonbird, 2 Doodles, and 26 Captains. All NFTs are currently in Yuga Labs’ custody, with plans to return them once Flooring implements a solution to the vulnerability.
Flooring addresses the illiquidity of NFTs by fractionalizing them into highly liquid, tradeable fungible micro-tokens called μ-Tokens or fpTokens. These one million fpTokens derived from an NFT are pegged to the floor price of the collection in question. Flooring Protocol also uses fpNFTs, which are Safebox Keys that enable users to get liquidity for their rare NFTs without giving up their premium value.
Disclosing how the vulnerability surfaced, Yuga Labs VP of Blockchain, pseudonymously known as 0xQuit, explained that an attacker had exploited Flooring earlier that day, stealing some collections. They had turned a dust amount of Wrapped Ether (WETH) into a near-infinite fpToken balance, allowing the draining of Flooring pools.
While draining the pools, the hacker compromised NFT ownership checks and created a ghost ownership state. This allowed a follow-up opportunist to collect tokens from the now-depleted pools and exchange them for underlying NFTs, which they sold. Upon deeper analysis, the Yuga Labs team found another exploitable path that put higher-value NFTs at risk. The attackers did not have access to them earlier because their pools lacked liquidity.
Acting quickly, Figge instructed the GrailsOTC team to coordinate the assets and funds needed to recover the at-risk assets. 0xQuit said the rescue contract used the same broad bug class but in a defensive capacity.
“I’m glad that we were able to rally a team to rescue what we could, amounting to more than $500k worth of NFTs on a Sunday,” the blockchain VP stated.
While working towards fixing the issue and returning the rescued NFTs to their rightful owners, the team has asked users to refrain from making any more deposits into the Flooring Protocol. Stay tuned for more updates!
Be the first to comment