NFT platform Gondi to compensate users affected in $250k smart contract exploit
Non-fungible token lending platform Gondi has vowed to compensate users affected in a Monday exploit during which the attacker stole roughly $230,000 worth of NFTs from the protocol.
Summary
- Gondi confirmed an exploit in its Sell & Repay contract allowed an attacker to steal about $230,000 worth of escrowed NFTs, prompting the platform to disable the feature.
- The protocol said affected users will be compensated by purchasing comparable NFTs from the same collections.
According to a post-incident update, Gondi confirmed that an exploit of its “Sell & Repay contract” allowed an attacker to withdraw roughly $230,000 worth of escrowed NFTs from the protocol. The contract allows borrowers to sell escrowed NFTs and subsequently repay outstanding loans on the platform.
An updated version of the contract was deployed on Feb. 20, but Gondi did not clarify how the vulnerability was exploited.
The exploit did not impact any other parts of the protocol, and the platform has paused the contract as it works on a fix while other services remain operational.
“All users who interacted with this contract and were impacted have been contacted directly by our team,” Gondi wrote. In a subsequent update, the protocol said it plans on making affected users whole by purchasing comparable items from the same collection.
“While not the exact same piece, we believe this is a fair and meaningful resolution and are coordinating directly with each owner,” it added.
Gondi has since been reviewed by the team at Blockaid and an independent auditor, who have concluded that the protocol is safe to use.
According to Blockaid, the attacker started selling some of the stolen NFTs after the exploit. As of the last update, Gondi said that the attacker’s wallet still contained some of the stolen NFTs while the remainder was sold to “innocent buyers who had no knowledge of the exploit.”
“We reached out to each of them directly and asked for their help in returning the items to their rightful owners,” it added.
Meanwhile, at least four NFTs were recovered and returned by the NFT community, including Aluminum Gazer, Servant of the Muse, Doodle, and Lil Pudgy.
The platform said it was using its protocol fees to buy back recovered items and compensate affected users.
The Gondi exploit marks the second attack in two weeks. As previously reported by crypto.news, Bitcoin-focused DeFi platform Solv Protocol was exploited late last week, allowing the hacker to drain roughly $2.7 million worth of funds from one of its token vaults.
