In a significant setback for the NFT lending ecosystem, the Gondi platform has weathered a $230,000 exploit, swiftly addressing the issue and focusing on compensating affected users. The hacker exploited the ‘Sell & Repay’ contract, a feature designed to let borrowers sell escrowed NFTs and automatically repay loans on the platform.
Gondi, a prominent player in the NFT lending space, announced on X that the exploit occurred through the ‘Sell & Repay’ contract, which was intended to streamline the process of selling NFTs and repaying loans. The platform quickly disabled the faulty contract to prevent further damage and is now in the process of compensating users who were affected by the exploit.
Data from the Ethereum block explorer Etherscan revealed that 78 NFTs were stolen on Monday at approximately 8:12 am UTC. Blockchain security platform Blockaid estimated the total loss to be around $230,000. Despite the setback, Gondi emphasized that no other parts of the platform were compromised, and an updated version of the ‘Sell & Repay’ contract had been deployed on February 20.
Community Efforts to Recover Stolen NFTs
While the hacker began selling some of the stolen NFTs, the NFT community rallied to recover and return several high-value tokens. Notable returns include the Doodle, Aluminum Gazer, Lil Pudgy, and Servant of the Muse NFTs. Gondi stated, “We are in active conversations on additional items and expect more to follow, including Taxmen.”
One Gondi user, with the wallet address ‘0x8d1…47051,’ lost around $108,000 worth of NFTs, accounting for nearly half of the protocol’s theft. In response, Gondi has already begun compensating affected users by purchasing comparable items from the same NFT collections and transferring them to the owners. “While not the exact same piece, we believe this is a fair and meaningful resolution and are coordinating directly with each owner,” the platform stated.
Enhancing Security and Moving Forward
Gondi’s focus has shifted entirely to making affected users whole and ensuring the platform’s continued safety. The company has not yet deployed a fix to the ‘Sell & Repay’ contract, which remains disabled. Blockaid and an independent auditor have reviewed the platform and concluded that it is now safe to use for all activities, including repaying, renegotiating, refinancing loans, and buying, selling, trading, and listing NFTs.
This incident underscores the ongoing challenges in the NFT and DeFi spaces, where smart contract vulnerabilities can lead to significant financial losses. However, Gondi’s swift response and community support highlight the resilience and collaborative nature of the blockchain ecosystem. As the platform continues to address the aftermath of the exploit, it is also taking steps to enhance its security measures to prevent similar incidents in the future.
About the Author
