Yuga Labs NFT Rescue Shows Old DeFi Bugs Still Have Teeth
Yuga Labs, the company behind Bored Ape Yacht Club, carried out a whitehat rescue after an exploit hit the inactive Floor Protocol. On Sunday, Yuga Labs secured more than $500,000 in Ethereum NFTs that were sitting exposed through Floor Protocol, a project that no longer operates. Here is the part people keep underestimating: a dead protocol can still matter if its contracts are alive. I’ll be honest: crypto talks about abandoned code like it is archived paperwork. It is not. Sometimes it is a loaded trap with no maintainer watching it.
The exploit hit Floor Protocol, which let users deposit NFTs into “pools” for liquidity. Users deposited NFTs into pools, then received fungible μTokens in return. Floor Protocol shut down last year. The contracts did not. That gap is where the problem lived. Yuga Labs spotted an exploit in the morning, then realized the same approach could threaten other collections, including Bored Apes. 0xQuit, Yuga Labs’ pseudonymous VP of Blockchain, wrote on X that the team found “another related exploit path that could be used against additional vulnerable Flooring pools.” The mission was blunt: “remove exposed NFTs from vulnerable Flooring pools before another malicious actor could exploit the same paths and extract them first.”
The incident shows the long tail of smart contract risk: abandoned projects can still put expensive assets in play. Most guides say the danger is in the shiny new protocol with a fresh token and an unaudited launch. That’s only half right. The quieter risk is the old thing everyone stopped talking about. Yuga’s rescue limited the damage, but the underlying picture is ugly: a protocol that had already shut down still threatened 29 Bored Apes and two CryptoPunks, worth about $570,000 combined. Why does this matter? Because this is not a theoretical DeFi classroom example. It is old code reaching back into wallets, collections, and markets that people probably assumed were done with it. For ETH holders and ERC-20 users, the concern is wider than NFTs. DeFi contracts interlock, approvals linger, and forgotten liquidity can make stale infrastructure useful again. One exploit on a smaller protocol can still rattle traders, especially in a year when ETH has recently traded between roughly $2,800 and $4,000.
The rescue also shows how much the NFT market still depends on a few large actors stepping in when something goes wrong. The NFT market is nowhere near its early 2022 frenzy, when Bored Apes often sold for more than $300,000. Still, these are not dust assets. Market data puts the Bored Ape floor above $15,000, while CryptoPunks trade from around $55,000. My take: people underrate how quickly thin NFT markets can buckle. If the rescued NFTs had been dumped, floor prices could have taken another hit. Maybe small. Maybe not. Thin markets move strangely. Counter to the usual decentralization pitch, Yuga stepping in was useful precisely because it is a large, coordinated actor. That is the uncomfortable part: if a company has to rescue assets from an abandoned protocol, the market is less decentralized in practice than it sounds in theory.
2/ After analyzing the bug more closely, we found a separate but related exploitable path that put more, higher value NFTs at risk. These were not a part of the earlier exploit simply because their Uniswap pools lacked liquidity.
– Quit (@0xQuit) June 8, 2026
Yuga Labs is holding the rescued assets while it works with Floor Protocol developers to return them to the owners. Michael Figge, Yuga Labs’ CEO, wrote on X, “Thanks to this move, we were able to save dozens of assets from impacting the market and Flooring protocol tokens from being compromised.” For now, Yuga controls the assets and is coordinating with Floor Protocol developers on the return process. That matters more than it sounds. People can tolerate risk in crypto, apparently a lot of it, but they hate feeling stranded afterward. Is this just NFT drama? No. CryptoSlam data explains why the mood is brittle: Ethereum NFT daily sales topped $100 million a day in early 2022, while the best sales day in 2026 is $32.3 million. Still real money. Just a very different market.
What this means
The Yuga Labs NFT rescue shows that dormant DeFi projects can still create live risk, so investors need to check more than the projects they actively use today. Smart contract risk does not politely end when a project shuts down. It can sit there until old approvals, forgotten pools, or a sliver of liquidity make it attractive to an attacker. Yes, this contradicts the lazy version of “only use established protocols” advice. Bear with me. Established history does not help much if nobody is maintaining the thing anymore. Investors should review past DeFi interactions, not just current holdings. Revoke old approvals where it makes sense. Check whether assets are still tied to contracts from projects nobody maintains anymore. The whitehat rescue prevented a bigger mess, but it also showed how much security for high value NFTs can depend on a few people noticing a bug quickly and moving before someone worse does.
Investors should expect more scrutiny of audits, bug bounties, and recovery plans after this. Yuga holding the NFTs while it works out the return is better than watching the assets disappear. But recovery is rarely clean. It can take time, and every step raises custody questions, proof-of-ownership disputes, and governance headaches. I would watch the return process closely, because future whitehat rescues may point back to this one as precedent. Traders should also watch for unusual movement in high value NFTs. Large token transfers too. Those are often the first visible signs that something is wrong. Floor prices and daily Ethereum NFT volume will show whether buyers treat this as a contained cleanup or another reason to stay cautious.