On June 8, 2026, a smart contract exploit on Flooring Protocol allowed an attacker to convert a dust amount of WETH into a near-infinite fpToken balance, drain multiple NFT pools, and walk away with hundreds of thousands of dollars in blue-chip digital assets. Within hours, Yuga Labs VP of Blockchain, posting as 0xQuit, had led a white-hat counter-operation that recovered 29 Bored Apes, 4 Mutant Apes, 1 BAKC, 2 CryptoPunks, 1 Azuki, 2 Elementals, 26 Captains, 1 Moonbird, 2 Doodles, and other assets worth more than $500,000. The rescued assets are now in Yuga Labs’ custody pending return to affected holders.
The Flooring Protocol architect, posting as 0xFreeLunch, took public responsibility for the bug, describing it as gas-optimized code that hid two unchecked underflows from auditors. He also noted something that stands out in the current security environment: he suspects the attacker used advanced AI tooling to find the exploit, given its complexity. Two weeks after a white-hat researcher used Claude Opus 4.8 to discover a four-year-old Zcash counterfeiting vulnerability, the same class of AI-assisted security analysis appears to be showing up on the attacker’s side of NFT infrastructure exploits.
How the Exploit Worked
Flooring Protocol is a DeFi platform that allows NFT holders to deposit blue-chip NFTs into liquidity pools and receive fractional fpTokens in return. The protocol effectively turns illiquid NFTs into liquid positions. The vulnerability was a two-stage integer underflow in the smart contract logic.
First underflow: the attacker triggered a condition where a balance subtraction wrapped around from zero to the maximum possible integer value, giving them an essentially unlimited fpToken balance. Second underflow: a follow-on check that should have caught the anomalous balance also underflowed, passing validation. With an infinite fpToken balance, the attacker dumped tokens to crash their price toward zero, then redeemed the worthless tokens against the underlying NFT pools at favorable rates. The first wave drained lower-value pools. Researchers discovered a second attack path that exposed blue-chip pools containing Bored Apes and CryptoPunks, which had survived the first wave only because their pools held relatively little liquidity at the time.
0xFreeLunch’s admission that the bug hid from auditors through gas optimization is significant. Gas-optimized Solidity often uses assembly-level operations that bypass Solidity’s built-in overflow checks introduced in version 0.8. Auditors reviewing high-level Solidity may miss underflows buried in assembly blocks. This is a known attack surface that has been exploited multiple times across DeFi history. The fact that it persisted in production code at a protocol handling blue-chip NFTs in 2026 reflects the gap between what formal audits catch and what adversarial analysis finds.
NFTs Rescued by Yuga Labs White-Hat Operation
Now in Yuga Labs custody pending return to affected holders | June 8, 2026 | @cryptonewsbytes
Exploiters still hold other stolen NFTs. Case not fully closed. Do NOT deposit more NFTs into Flooring Protocol. vs 0xQuit
Source: 0xQuit Twitter thread June 8, 2026 via BeInCrypto | @cryptonewsbytes
The AI Security Arms Race: Same Week, Both Sides
The Flooring Protocol architect’s suspicion that the attacker used advanced AI tooling lands in a specific context. On May 29, Taylor Hornby used Claude Opus 4.8 as part of a targeted security audit and discovered a four-year-old counterfeiting vulnerability in Zcash’s Orchard pool that had escaped expert human review. That discovery was white-hat and responsible. The same tooling, applied by an adversarial actor to a DeFi smart contract, produces a different outcome. The exploit gets deployed, not disclosed.
This is the security dynamic that Shielded Labs was pointing to when it announced it was accelerating AI-assisted audit work after the Zcash disclosure. The North Korean Lazarus Group, which used social engineering to compromise Radiant Capital for $50 million in October 2024, has also been linked to using sophisticated tooling to identify targets and attack paths. The AI security arms race in crypto is not a future concern. It is the present reality. Flooring Protocol’s June 8 exploit is one more data point that protocols relying solely on traditional audits are operating with an asymmetric disadvantage against adversaries using the latest tools.
June 8 Exploit: Sequence of Events
From first attack to white-hat rescue | @cryptonewsbytes
Attack: Underflow triggers infinite fpToken balance
WETH dust input. Two unchecked underflows. Balance wraps to maximum integer. Gas-optimized code hid the bug from auditors.
Wave 1: Lower-value pools drained
fpTokens dumped to zero. Underlying NFTs redeemed from depleted pools. Blue-chip pools survived due to low liquidity at time of attack.
Wave 2 discovered: Blue-chip pools exposed
Researchers identify second attack path targeting BAYC and CryptoPunk pools. Stakes escalate significantly.
White-hat: 0xQuit leads Yuga Labs rescue operation
Yuga Labs VP of Blockchain deploys counter-operation. 29 Bored Apes, 4 MAYCs, 2 CryptoPunks, and more rescued. Now in Yuga custody. Return to holders in progress.
Source: 0xQuit Twitter thread, BeInCrypto, 0xFreeLunch statement | @cryptonewsbytes
What Flooring Protocol Does Next
0xQuit urged all users to stay clear of the platform and not deposit any more NFTs while the case remains open. The exploiters still hold stolen assets from the first wave that were not captured in the white-hat operation. Flooring Protocol now faces the same post-exploit choices that every DeFi protocol has faced: whether to relaunch with a corrected contract, how to structure compensation for affected holders, and whether the community trust damage is survivable. The precedent from other exploited NFT infrastructure is not encouraging. Most do not recover meaningful TVL after a major security incident.
NFT Floor Prices: What Was at Stake in the Flooring Protocol Exploit
June 8, 2026 · ETH ~$1,640 | Sources: CoinDesk, BeInCrypto, CryptoSlam | @cryptonewsbytes
Overall NFT market context
CryptoSlam data: global NFT sales $238M in the 30 days to May 10, down 54.89% from the prior period. Active users and total transactions both fell roughly 50% from February. Flooring Protocol pools held a small fraction of total supply, but the white-hat rescue protected assets worth more than the daily trading volume of most mid-tier collections.
Sources: CoinDesk, BeInCrypto, CryptoSlam, 0xQuit June 8 thread | @cryptonewsbytes
Frequently Asked Questions
Are my NFTs safe if I had them in Flooring Protocol?
If your NFTs were in pools that were drained, they may have been part of the white-hat rescue operation and are now in Yuga Labs’ custody. Follow official communications from Flooring Protocol and Yuga Labs for the return process. 0xQuit has explicitly warned users not to deposit any further NFTs into Flooring Protocol as the platform remains vulnerable. If your NFTs were not in affected pools, monitor official channels for the protocol’s next steps.
What is an integer underflow in a smart contract?
An integer underflow occurs when a number is decremented below zero in a context where the value wraps around to the maximum possible integer instead of throwing an error. In Solidity 0.8 and later, arithmetic underflows revert automatically. However, gas-optimized code sometimes uses assembly operations that bypass these protections. If a subtraction in assembly code produces a negative result, it wraps to an enormous positive number, which can then be exploited to create artificial balances or drain funds.
Further Reading
The white-hat side of the same AI security dynamic. Claude Opus 4.8 found a 4-year Zcash vulnerability. Two weeks later, an attacker may have used similar tooling against Flooring Protocol.
The most complete picture of what happens when DeFi security fails and nobody runs a white-hat rescue. Flooring Protocol has a chance Radiant did not.
Protocol reliability failures of June 2026. Three different attack surfaces, same week.
This article is for informational purposes only. Sources: BeInCrypto, 0xQuit Twitter thread June 8 2026, 0xFreeLunch statement. Published June 9, 2026.
