Asterix Protocol Inherits $40K Flaw From Flooring’s June Hack

Published by James Harris on

Asterix Protocol Inherits $40K Flaw From Flooring's June Hack — Ethereum

What You Need to Know

  • Asterix NFT protocol lost $40,000 to attackers exploiting same vulnerability that drained Flooring Protocol in June.
  • Flaw in BT404 token standard allows single malicious token ID to produce different accounting results, creating infinite fungible token balance.
  • Yuga Labs recovered 68 NFTs worth 346 ETH from original Flooring Protocol breach before second attacker accessed them.
  • Forked code vulnerability also affected BitmapPunks and SSR pool, revealing structural risk when base contracts copied without security review.

A forked NFT liquidity protocol called Asterix lost roughly $40,000 early Wednesday after attackers used the same vulnerability that drained Flooring Protocol on June 8, exploiting code Asterix had copied directly from the DN404/BT404 token standard without catching the underlying flaw.

The attack vector, identified by BlockSec’s Phalcon, centers on what Yuga Labs’ VP of Blockchain described as “ghost ownership”: a flaw in BT404-style accounting that lets a single malicious token ID satisfy one ownership check and then produce a different result in a second accounting pass, effectively manufacturing an infinite balance of the fungible tokens used to redeem locked NFTs. Flooring Protocol, which shut down last year, had built its entire NFT liquidity model on this mechanic, and any fork that inherited the code inherited the bug. Yuga Labs moved quickly on the original breach, running a white hat recovery that secured 68 NFTs worth roughly 346 ETH before a second attacker could reach them, including 29 Bored Apes and two CryptoPunks. Asterix did not have that safety net. FreeLunchCapital confirmed the same attack path also hit BitmapPunks, which used a comparable contract design, and SSR warned users away from its own pool after seeing what happened.

The forked code problem is not new, but it rarely plays out this cleanly as a chain of sequential victims.

This incident sits inside a broader deterioration in Web3 security metrics. Certik counted 60 confirmed incidents in May alone, totaling $68.3 million in losses, and PeckShield attributed $340.7 million to bridge and cross-chain exploits through June 1. For NFT liquidity protocols specifically, the Flooring case illustrates a structural risk that tends to get underweighted: when a base contract is copied across multiple projects, a single audit failure becomes a sector-wide exposure, and the projects with the smallest treasuries or least active development teams are typically the last to patch. Asterix’s $40,000 loss is small relative to the Flooring incident, but the team has not disclosed whether any recovery is possible, which matters to holders trying to assess whether the $ASTX token contract is effectively dead.

Yuga Labs said recovered NFTs from the Flooring rescue will be returned once developers complete a patch, and 0xQuit has warned users against depositing new NFTs into Flooring pools in the interim. Whether Asterix publishes a credible post-mortem will be the first real signal of whether the project has the capacity to continue operating at all.

Source: Asterix hit as Flooring Protocol vulnerability spreads across forks (cryptopolitan.com)

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

News

Morpho Raises $175M as Aave Loses Governance Control and Absorbs Bad Debt

Morpho raised $175 million at a $2 billion valuation in June, the largest institutional round in DeFi lending history, as rival Aave navigates governance collapse and a $290 million exploit. The modular lending protocol's institutional backing signals a structural shift in how decentralized finance allocates capital and manages risk.

News

VeChain Needs $6B Inflow to Hit 2032 Price Target With 86B Token Supply

VeChain trades 98% below its 2021 peak at $0.00480, with major moving averages aligned against it and market sentiment deeply negative. Price predictions claiming $0.075 by 2032 ignore the supply reality: VeChain's 85.98 billion token circulating supply requires enormous capital inflows for meaningful appreciation.

News

Token of Power DAO Drained in Single Transaction Without Timelock

A governance attack drained Token of Power DAO's liquidity pool in a single transaction, exploiting the absence of a timelock delay between proposal passage and execution. The attacker acquired majority control with just 8,192 tokens, passed a proposal to mint new tokens, and converted them to 944 WETH—all in one atomic block.

Exit mobile version