The decentralized NFT liquidity platform Flooring Protocol fell victim to a significant exploit on December 16, 2023, resulting in the theft of high-value NFTs worth approximately $1.6 million. The breach, which sent ripples through the NFT community, exposed critical vulnerabilities in how smart contract upgrades are managed and audited across the Web3 ecosystem.
The Exploit Mechanics
At the core of the attack was a flawed contract upgrade that inadvertently introduced a critical vulnerability in Flooring Protocol’s peripheral multicall functionality. The attacker exploited an improper use of multicall capabilities to external contracts, effectively bypassing ownership verification checks. The exploit leveraged a simple transfer function — nftContract.transferFrom(nftHolder, me, tokenId) — which under normal circumstances would require explicit authorization from the NFT holder.
However, because the NFT holders had previously granted approval to the Flooring Protocol contract, the flawed upgrade allowed the attacker to execute unauthorized transfers through the multicall wrapper. The exploit was first identified by Foobar, the founder of NFT marketplace Delegate, who publicly documented the vulnerability mechanics on social media.
Affected Systems
The attacker made off with approximately 690 ETH worth of NFT assets, valued at roughly $1.54 million at the time of the exploit. The stolen collection included three dozen Pudgy Penguins NFTs and 15 Bored Ape Yacht Club (BAYC) NFTs — among the most sought-after digital assets in the space. With Bitcoin trading at approximately $41,365 and Ethereum at $2,196 on December 17, the stolen assets represented a substantial loss for affected users.
The attacker rapidly moved to liquidate the stolen NFTs on Blur, a prominent NFT marketplace, generating between $1.5 million and $1.6 million in proceeds. The speed of the liquidation highlighted the persistent challenge of tracking and recovering stolen digital assets in a decentralized trading environment.
The Mitigation Strategy
In the immediate aftermath, the Flooring Protocol team acknowledged the exploit and began working with security researchers and on-chain analysts to trace the stolen funds. The broader NFT community mobilized quickly, with several platforms flagging the stolen assets to prevent further trading. The incident also prompted renewed calls for comprehensive smart contract auditing before deploying protocol upgrades.
This exploit occurred just one day after another major NFT platform, NFT Trader, was hit by a separate reentrancy attack that resulted in approximately $3 million in losses. The back-to-back incidents underscored the heightened risk environment for NFT platforms during the final weeks of 2023, with total industry losses from security incidents reaching approximately $24.94 million in December alone.
Lessons Learned
The Flooring Protocol exploit offers several critical takeaways for the broader crypto and NFT community. First, contract upgrades represent one of the most dangerous moments in a protocol’s lifecycle — even minor changes to multicall functionality can create exploitable gaps. Second, approval management remains a persistent vulnerability vector, as users who grant broad token approvals to platforms may be exposed to risks from subsequent contract modifications. Third, the rapid liquidation of stolen assets on legitimate marketplaces demonstrates the need for improved real-time surveillance and flagging mechanisms across NFT trading platforms.
User Action Required
Users who have interacted with Flooring Protocol or similar NFT liquidity platforms should immediately review and revoke any outstanding token approvals. Tools like Revoke.cash and Etherscan’s token approval checker can help identify and remove potentially dangerous approvals. Additionally, users should exercise heightened caution when granting approval to newly upgraded contracts and consider using hardware wallets for storing high-value NFTs. As the industry closes out a turbulent 2023, proactive security measures remain the strongest defense against increasingly sophisticated exploits.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
the multicall pattern is such a common footgun. seen it in like 3 audits this year alone, always the same story
multicall bugs keep showing up in audits and somehow teams still ship them without proper review. the pattern is well documented at this point
rekt_admin the multicall footgun is so well documented at this point that finding it in new code feels negligent
transferFrom with standing approvals is basically a loaded gun waiting for someone to pull the trigger. revoke your approvals people
standing approvals are a time bomb. i check my approvals on revoke.cash weekly now because of stuff like this
revoke_now_ weekly checks are smart. i set a calendar reminder after the floor protocol thing. saved me once already
revoke.cash should be bookmarked by every single NFT holder at this point. i had approvals on 40+ contracts from 2022 that i forgot about
revoke.cash should be mandatory reading before anyone touches an NFT contract. 40+ open approvals is scary common
Youssef B. standing approvals plus multicall is basically a honeypot architecture. the combo keeps exploiting people
standing approvals plus multicall is like leaving your front door open and being surprised when someone walks in. the pattern is documented everywhere at this point
foobar catching it first is peak crypto security twitter. guy sees everything before anyone else lol
transferFrom without proper ownership checks in a multicall is such a basic error. either the auditor missed it or there was no audit on the upgraded code
1.6M in mayc pseudos gone because nobody re-audited after the upgrade. the upgrade itself was the attack vector. feels intentional at some level
the upgrade was the attack vector. classic pattern – deploy safe code, then push a malicious update months later when nobody is watching