Best crypto insights delivered straight to your inbox.
- An exploit drained roughly $40,000 from Asterix, a fork of Flooring Protocol, using the same vulnerability that cost Flooring over $900,000 a day earlier.
- White hat researchers led by Yuga Labs recovered about $500,000 in NFTs from Flooring’s pools.
- The back-to-back attacks highlight the risk of forked codebases inheriting unpatched security flaws during a year when crypto exploit losses have already topped $340 million.
The Flooring Protocol exploit from June 8 got a sequel earlier today when Asterix, a fork of the NFT liquidity platform, became the victim of an exploit that drained roughly $40,000 in assets.
The exploit news sours the mood after white hat researchers reported having helped claw back more than $500,000 in blue-chip NFTs from the same Flooring contracts vulnerability that appears to have been used to break into Asterisk.
Flooring Protocol’s vulnerability spread to Asterisk via forked code
A member of the BlockSec blockchain security firm, Phalcon was one of the first to notice the similarities between the Asterix attack vector and the flaw that allowed attackers to drain Flooring Protocol pools on June 8.
Phalcon said the Flooring Protocol attack was essentially run back on Asterix because the latter was apparently forked from DN404/BT404, a token standard that blends fungible and non-fungible mechanics.
Initial reports on the Flooring incident had loss numbers at above $900,000 before white hat interventions helped recover around $500,000.
Asterix has already confirmed the breach in an X statement, acknowledging an exploit had struck the $ASTX token contract around 4 a.m. GMT+8. The team said it was investigating and would publish a full post-mortem once the analysis was complete.
How did the Flooring exploit happen?
Flooring Protocol, which shut down operations last year, allowed users to deposit NFTs into pools and receive fungible tokens pegged one-to-one to those locked assets.
The Flooring Protocol attack that has since started to spread exploited a flaw in the platform’s BT404-style accounting system that Yuga Labs VP of Blockchain called a “ghost ownership” phenomenon on X.
In simple terms, it means someone could use one malicious token ID to pass one ownership check and still reuse it to produce a different result in another accounting logic, causing a mathematical problem in token balance.
In this case, the attacker created a near-infinite balance of fpTokens, the fungible tokens that anyone can use to claim NFTs locked in Flooring’s pools.
Yuga Labs steps up with white hat effort
Once the Flooring drain became public, Yuga Labs CEO Michael Figge said the company quickly launched a white hat rescue before another attacker could reach vulnerable NFTs.
The NFT rescue operation secured 68 NFTs worth an estimated 346 ETH (roughly $570,000 at the time), including 29 Bored Ape Yacht Club NFTs, four Mutant Apes, two CryptoPunks, one Azuki, two Elementals, 26 Captains, one Moonbird, and two Doodles.
Super Secret Rare (SSR), a project that detected its vulnerability after Asterisk was hit, warned users not to interact with the pool while the situation remained unresolved.
FreeLunchCapital, the developer behind Flooring’s affected contracts, confirmed the exploit also hit BitmapPunks, which used a similar contract design. Both projects relied on fungible tokens pegged one-to-one to locked NFTs, making them vulnerable to the same attack path.
One exploit after another
The Flooring and Asterix incidents add to a miserable streak of security failures ripping through Web3. As Cryptopolitan observed in earlier reports, the astronomical dollar losses in April snowballed into a higher count of individual incidents in May, reaching 60 confirmed security incidents totaling $68.3 million in gross losses per Certik. PeckShield attributed $340.7 million in losses to 14 bridge and cross-chain exploits as of June 1.
Forked protocols present their own kinds of headaches. When downstream projects copy code without auditing it, a single vulnerability in the base codebase can be replicated across multiple levels, just as it happened in the Flooring, Asterix case now.
Yuga Labs said the rescued NFTs will be returned once Flooring Protocol developers complete a patch. 0xQuit warned users not to deposit new NFTs into Flooring while the vulnerability remains open. For Asterix holders, the $40,000 loss is smaller in scale, but the team has not yet disclosed whether any recovery is possible.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
What is Asterix and how is it connected to Flooring Protocol?
Asterix is a project that forked its code from Flooring Protocol and the DN404/BT404 token standard. That shared codebase meant the same vulnerability exploited in Flooring on June 8 could be used against Asterix the following day.
How much was lost and recovered in the Flooring Protocol exploit?
The total impact from the Flooring exploit exceeded $900,000, with white hat researchers recovering approximately $500,000 worth of NFTs, including 29 Bored Apes and two CryptoPunks.
What caused the vulnerability in Flooring Protocol?
According to Yuga Labs VP of Blockchain 0xQuit, a flaw in Flooring's BT404-style accounting system allowed a malicious token ID to pass one ownership check while returning a different result in later accounting, creating a "ghost ownership" state that gave the attacker a near-infinite balance of claim tokens.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience in the crypto space. At Cryptopolitan, Hannah contributes to the news page, reporting and analyzing the latest developments in DeFi, RWA, crypto regulation, AI and frontier tech industries. She graduated from Arcadia university with a degree in Business Administration.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)