NFT Lending Protocol Gondi announced on March 9 that it is actively taking measures to compensate users affected by smart contract vulnerabilities. According to security firm Blockaid, attackers exploited the vulnerability to steal approximately 78 NFTs from multiple victims, with an estimated loss of about $230,000. Gondi stated that aside from the logical flaw in the new “Sell & Repay” contract, all other platform functions have been restored.
Vulnerability Mechanism Analysis: The Key Logical Flaw in the Sell & Repay Contract
“Sell & Repay” is one of the core features of the Gondi NFT lending protocol, allowing borrowers to sell NFTs pledged as collateral within a single bundled transaction and automatically repay the loan. The latest contract version deployed on February 20 introduced a bug in the “Purchase Bundler” function, which failed to properly verify whether the contract caller was the legitimate owner or authorized borrower of the NFT. This allowed attackers to bypass ownership checks and trigger transfer operations without holding the NFT.
NFT collector tinoch estimates that a potential victim lost about 55 ETH, worth approximately $108,000 at the time of observation. Gondi emphasized that the impact of this vulnerability was limited, and NFTs actively involved in lending were never affected at any time.
List of Stolen NFTs: Well-Known Series Affected
According to Etherscan data, the 78 transferred NFTs include several well-known series:
- Art Blocks tokens: 44, accounting for the largest portion of stolen NFTs
- Doodles: 10
- Beeple “Spring Collection”: 2
- Others: multiple valuable NFT brands and unique 1/1 artworks that are irreplaceable
Following the incident, Gondi quickly suspended the “Sell & Repay” feature and invited Blockaid and independent auditors to conduct a comprehensive security review of the entire protocol. Gondi stated that all other platform activities—including loan repayment, renegotiation, refinancing, issuing new loans, and NFT listing and trading—are safe to resume.
Gondi’s Compensation Actions: A Three-Pronged Approach
Compensation efforts are progressing on three levels:
- Contacting affected users: Gondi proactively reached out to all users who interacted with the vulnerable contract to confirm losses and open direct communication channels.
- Recovering and returning stolen NFTs: Gondi tracked some stolen NFTs that had been transferred to unaware buyers and successfully persuaded these buyers to return the NFTs to the original owners.
- Repurchasing similar items with protocol fees: For stolen NFTs that cannot be directly recovered, Gondi has begun using protocol fees to purchase “similar items” from 1/1-of-X series to compensate affected users. Gondi stated, “Although these are not exactly the same items, we believe this is a fair and meaningful solution, and we are coordinating directly with each owner.” For victims who lost unique 1/1 NFTs, Gondi is engaged in “active negotiations” to seek personalized compensation plans.
Frequently Asked Questions
What is Gondi, and how did this vulnerability occur?
Gondi is a decentralized, non-custodial NFT liquidity marketplace and lending protocol that allows users to use NFTs as collateral for loans, earn interest, or refinance. The vulnerability originated from a logical error in the new “Sell & Repay” contract version deployed on February 20. The “Purchase Bundler” function failed to properly verify the caller’s legitimacy, enabling attackers to trigger transfers without owning the NFTs.
Which NFTs were stolen in this Gondi vulnerability?
A total of 78 NFTs were transferred to attacker addresses through about 40 transactions, including 44 Art Blocks tokens, 10 Doodles, 2 Beeple “Spring Collection” pieces, and other well-known NFT brands. Some of these are irreplaceable 1/1 artworks. The total loss is estimated at approximately $230,000.
Is the Gondi platform currently safe to use again?
Gondi stated that after completing security reviews with Blockaid and independent auditors, all platform activities except the “Sell & Repay” function—still suspended—are safe to resume, including loan repayment, renegotiation, refinancing, new loans, and NFT buying and selling.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Can Metaplanet use financing from the “king of the Tokyo death spiral” to buy Bitcoin—only to keep itself alive with EVO before Bitcoin rises?
Bloomberg reported that U.S. investor Michael Lerch and his EVO fund focus on providing liquidity to cash-strapped small and mid-sized businesses, mainly through floating strike warrants. EVO holds a dominant position in the Japanese market, but its financing tools also face the risk of equity dilution. Metaplanet and EVO partnered and pivoted into a Bitcoin reserve company; however, its increased stock price volatility and reliance on funding have heightened operational uncertainty.
ChainNewsAbmedia1h ago
NAT Officially Launches on SpiderPool, Enabling BTC Dual-Mining in Same Block
NAT has launched on SpiderPool, enabling dual-mining with Bitcoin without extra setup. It generates 386 million NAT per block every 10 minutes, valued at $38, with a total market cap of $38 million. The code is open-source.
GateNews2h ago
Gate Daily (April 17): Musk’s X Money hits a roadblock with New York crypto regulation; Yuga Labs appoints a new CEO
Bitcoin (BTC) is flat at $74,920. A ceasefire between Israel and Lebanon has taken effect, and Trump says Iran agreed not to develop nuclear weapons. Mizuho Bank warns that Musk’s X Money could be affected by New York’s crypto regulation. Yuga Labs replaces its CEO: Greg Solano becomes Chairman of the Board, and Michael Figge takes over. The market is broadly optimistic. A record-high Bitcoin buying wave in the past decade has emerged, suggesting the price may be moving toward $90,000.
MarketWhisper3h ago
Yuga Labs Appoints Michael Figge as CEO, Greg Solano Becomes Board Chair
Yuga Labs has appointed Michael Figge as CEO, transitioning founder Greg Solano to Board Chair. Figge, previously Chief Product Officer, has been acting as CEO. Solano will focus on creative direction as the company develops its metaverse project, Otherside.
GateNews4h ago
Justin Sun Announces TRON’s PQ Transition, Criticizes Bitcoin And Ethereum
Justin Sun has launched TRON’s PQ upgrade plan, positioning it as the first major blockchain to adopt quantum-resistant technology, while criticizing Bitcoin and Ethereum for their slower progress in addressing quantum threats.
Blockzeit6h ago
Sweat Economy Secures Movement Verification Patent in Nigeria, Applies for European Patents
Sweat Economy has received a patent for its movement verification system in Nigeria, enhancing its M2E ecosystem on NEAR Protocol. The company validates user activity through its Sweatcoin app, allowing users to earn $SWEAT tokens. This approval boosts confidence in its technology and supports further patent applications in Europe.
GateNews7h ago
