Gondi NFT Lending Platform Reports Security Restoration Following $230K Breach
The NFT lending protocol confirmed that only its Sell & Repay smart contract was compromised, reassuring users that all other platform functions including NFT trading and listing remain secure.
The nonfungible token lending platform Gondi announced that it has successfully deactivated the vulnerable smart contract responsible for enabling an attacker to drain approximately $230,000 in NFT assets from the protocol, and has initiated the process of reimbursing users who were impacted by the security breach.
In a statement posted on X this Monday, Gondi revealed that the attacker took advantage of a vulnerability in the "Sell & Repay" contract, a feature designed to enable borrowers to liquidate their escrowed NFT assets while simultaneously settling their outstanding loans through the platform.
The platform acknowledged that a newer version of the contract in question had been implemented on Feb. 20, though they stopped short of providing details about the specific method the attacker used to compromise it. According to Gondi, the security incident was isolated to this single contract, with no other platform components experiencing any breach.
Records from Etherscan, the Ethereum blockchain explorer, indicate that a total of 78 NFTs were taken on Monday around 8:12 am UTC. Blockchain security firm Blockaid calculated the total value of stolen assets at $230,000.
In a subsequent announcement, Gondi stated that its "focus has shifted entirely to making affected users whole" and confirmed that both Blockaid and an independent security auditor have completed comprehensive reviews of the platform, determining it to be safe for continued use.
The safe operations include repaying, renegotiating, refinancing loans and starting new loans in addition to buying, selling, trading and listing NFTs on the platform.
Gondi confirmed that a corrected version of the Sell & Repay contract has not yet been released, and the feature currently remains deactivated.
Crypto Samaritans help Gondi recover NFTs
Although Blockaid reported that the attacker had begun liquidating portions of the stolen NFT collection, several members from the NFT community successfully retrieved and returned multiple assets including Doodle, Aluminum Gazer, Lil Pudgy and Servant of the Muse NFTs, according to Gondi's statement.
"We are in active conversations on additional items and expect more to follow, including Taxmen."
Cryptocurrency analyst "Tinoch" pointed out on X that a single Gondi platform user, identified by wallet address "0x8d1…47051," suffered losses totaling approximately $108,000 in NFT assets, representing close to half of the total amount stolen from the protocol.
Gondi reported that it has already purchased "comparable items" from the same NFT collections and transferred them to affected owners, and will continue to do so for any remaining cases.
"While not the exact same piece, we believe this is a fair and meaningful resolution and are coordinating directly with each owner."