Gondi initiates compensation after $230,000 vulnerability, recovers stolen NFTs and returns them to the original owner

NFT Lending Protocol Gondi announced on March 9 that it is actively taking measures to compensate users affected by smart contract vulnerabilities. According to security firm Blockaid, attackers exploited the vulnerability to steal approximately 78 NFTs from multiple victims, with an estimated loss of about $230,000. Gondi stated that aside from the logical flaw in the new “Sell & Repay” contract, all other platform functions have been restored.

Vulnerability Mechanism Analysis: The Key Logical Flaw in the Sell & Repay Contract

“Sell & Repay” is one of the core features of the Gondi NFT lending protocol, allowing borrowers to sell NFTs pledged as collateral within a single bundled transaction and automatically repay the loan. The latest contract version deployed on February 20 introduced a bug in the “Purchase Bundler” function, which failed to properly verify whether the contract caller was the legitimate owner or authorized borrower of the NFT. This allowed attackers to bypass ownership checks and trigger transfer operations without holding the NFT.

NFT collector tinoch estimates that a potential victim lost about 55 ETH, worth approximately $108,000 at the time of observation. Gondi emphasized that the impact of this vulnerability was limited, and NFTs actively involved in lending were never affected at any time.

List of Stolen NFTs: Well-Known Series Affected

According to Etherscan data, the 78 transferred NFTs include several well-known series:

• Art Blocks tokens: 44, accounting for the largest portion of stolen NFTs
• Doodles: 10
• Beeple “Spring Collection”: 2
• Others: multiple valuable NFT brands and unique 1/1 artworks that are irreplaceable

Following the incident, Gondi quickly suspended the “Sell & Repay” feature and invited Blockaid and independent auditors to conduct a comprehensive security review of the entire protocol. Gondi stated that all other platform activities—including loan repayment, renegotiation, refinancing, issuing new loans, and NFT listing and trading—are safe to resume.

Gondi’s Compensation Actions: A Three-Pronged Approach

Compensation efforts are progressing on three levels:

• Contacting affected users: Gondi proactively reached out to all users who interacted with the vulnerable contract to confirm losses and open direct communication channels.
• Recovering and returning stolen NFTs: Gondi tracked some stolen NFTs that had been transferred to unaware buyers and successfully persuaded these buyers to return the NFTs to the original owners.
• Repurchasing similar items with protocol fees: For stolen NFTs that cannot be directly recovered, Gondi has begun using protocol fees to purchase “similar items” from 1/1-of-X series to compensate affected users. Gondi stated, “Although these are not exactly the same items, we believe this is a fair and meaningful solution, and we are coordinating directly with each owner.” For victims who lost unique 1/1 NFTs, Gondi is engaged in “active negotiations” to seek personalized compensation plans.

Frequently Asked Questions

What is Gondi, and how did this vulnerability occur?

Gondi is a decentralized, non-custodial NFT liquidity marketplace and lending protocol that allows users to use NFTs as collateral for loans, earn interest, or refinance. The vulnerability originated from a logical error in the new “Sell & Repay” contract version deployed on February 20. The “Purchase Bundler” function failed to properly verify the caller’s legitimacy, enabling attackers to trigger transfers without owning the NFTs.

Which NFTs were stolen in this Gondi vulnerability?

A total of 78 NFTs were transferred to attacker addresses through about 40 transactions, including 44 Art Blocks tokens, 10 Doodles, 2 Beeple “Spring Collection” pieces, and other well-known NFT brands. Some of these are irreplaceable 1/1 artworks. The total loss is estimated at approximately $230,000.

Is the Gondi platform currently safe to use again?

Gondi stated that after completing security reviews with Blockaid and independent auditors, all platform activities except the “Sell & Repay” function—still suspended—are safe to resume, including loan repayment, renegotiation, refinancing, new loans, and NFT buying and selling.