NFT lending protocol Gondi has officially declared its platform secure following a targeted exploit that drained $230,000 in digital assets. The breach, which occurred on Monday, specifically compromised the protocol's "Sell & Repay" smart contract, forcing the team to disable the feature entirely while they pivot toward user remediation and full reimbursement.
How did the Gondi exploit occur?
According to Cointelegraph, the vulnerability existed within the "Sell & Repay" contract—a specialized piece of code designed to allow borrowers to sell escrowed NFTs while simultaneously settling their outstanding loans. While the protocol had deployed an updated version of this contract on Feb. 20, the exploit still managed to bypass security measures.
On-chain data from Etherscan confirms that 78 NFTs were siphoned from the protocol at approximately 8:12 am UTC on Monday. Security firm Blockaid verified the total loss at $230,000.
Impact Breakdown
| Metric | Detail |
|---|---|
| Total Value Lost | $230,000 |
| NFTs Stolen | 78 |
| Primary Vulnerability | Sell & Repay Contract |
| Status | Contract Disabled |
Is it safe to use Gondi right now?
Following the incident, Gondi engaged with Blockaid and independent auditors to conduct a comprehensive sweep of the protocol. The verdict? The platform is deemed safe for standard operations, including buying, selling, trading, and listing NFTs, as well as managing existing loan positions.
However, users should note that the "Sell & Repay" contract remains offline. The team has not yet deployed a fix for that specific function, opting to keep it disabled to prevent further recursive exploits.
How is Gondi handling user compensation?
In a move that distinguishes this incident from typical "rug-pull" scenarios, Gondi has taken an aggressive stance on making victims whole. The protocol has already begun purchasing "comparable items" from the same NFT collections to replace those stolen, transferring them directly to the affected wallets.
Interestingly, the NFT community played an unexpected role in the recovery process. Several high-value assets—including pieces from the , , and collections—were recovered and returned by community members who tracked the hacker's movements.