Asterix hit as Flooring Protocol vulnerability spreads across forks

The Flooring Protocol exploit from June 8 got a sequel earlier today when Asterix, a fork of the NFT liquidity platform, became the victim of an exploit that drained roughly $40,000 in assets. 

The exploit news sours the mood after white hat researchers reported having helped claw back more than $500,000 in blue-chip NFTs from the same Flooring contracts vulnerability that appears to have been used to break into Asterisk.

Flooring Protocol’s vulnerability spread to Asterisk via forked code

A member of the BlockSec blockchain security firm, Phalcon was one of the first to notice the similarities between the Asterix attack vector and the flaw that allowed attackers to drain Flooring Protocol pools on June 8.

Phalcon said the Flooring Protocol attack was essentially run back on Asterix because the latter was apparently forked from DN404/BT404, a token standard that blends fungible and non-fungible mechanics.

Initial reports on the Flooring incident had loss numbers at above $900,000 before white hat interventions helped recover around $500,000.

Asterix has already confirmed the breach in an X statement, acknowledging an exploit had struck the $ASTX token contract around 4 a.m. GMT+8. The team said it was investigating and would publish a full post-mortem once the analysis was complete.

How did the Flooring exploit happen?

Flooring Protocol, which shut down operations last year, allowed users to deposit NFTs into pools and receive fungible tokens pegged one-to-one to those locked assets.

The Flooring Protocol attack that has since started to spread exploited a flaw in the platform’s BT404-style accounting system that Yuga Labs VP of Blockchain called a “ghost ownership” phenomenon on X.

In simple terms, it means someone could use one malicious token ID to pass one ownership check and still reuse it to produce a different result in another accounting logic, causing a mathematical problem in token balance.

In this case, the attacker created a near-infinite balance of fpTokens, the fungible tokens that anyone can use to claim NFTs locked in Flooring’s pools.

Yuga Labs steps up with white hat effort

Once the Flooring drain became public, Yuga Labs CEO Michael Figge said the company quickly launched a white hat rescue before another attacker could reach vulnerable NFTs.

The NFT rescue operation secured 68 NFTs worth an estimated 346 ETH (roughly $570,000 at the time), including 29 Bored Ape Yacht Club NFTs, four Mutant Apes, two CryptoPunks, one Azuki, two Elementals, 26 Captains, one Moonbird, and two Doodles.

Super Secret Rare (SSR), a project that detected its vulnerability after Asterisk was hit, warned users not to interact with the pool while the situation remained unresolved.

FreeLunchCapital, the developer behind Flooring’s affected contracts, confirmed the exploit also hit BitmapPunks, which used a similar contract design. Both projects relied on fungible tokens pegged one-to-one to locked NFTs, making them vulnerable to the same attack path.

One exploit after another

The Flooring and Asterix incidents add to a miserable streak of security failures ripping through Web3. As Cryptopolitan observed in earlier reports, the astronomical dollar losses in April snowballed into a higher count of individual incidents in May, reaching 60 confirmed security incidents totaling $68.3 million in gross losses per Certik. PeckShield attributed $340.7 million in losses to 14 bridge and cross-chain exploits as of June 1.

Forked protocols present their own kinds of headaches. When downstream projects copy code without auditing it, a single vulnerability in the base codebase can be replicated across multiple levels, just as it happened in the Flooring, Asterix case now.

Yuga Labs said the rescued NFTs will be returned once Flooring Protocol developers complete a patch. 0xQuit warned users not to deposit new NFTs into Flooring while the vulnerability remains open. For Asterix holders, the $40,000 loss is smaller in scale, but the team has not yet disclosed whether any recovery is possible.

If you're reading this, you’re already ahead. Stay there with our newsletter.