NFT Lending Platform Gondi Exploited

Gondi, a decentralized NFT lending platform, confirmed that an exploit of its "Sell & Repay contract" allowed an attacker to withdraw roughly $230,000 worth of escrowed NFTs. The platform has vowed to compensate affected users by purchasing comparable NFTs from the same collections. The "Sell & Repay" feature remains disabled while the team deploys a fix. The exploit occurred due to faulty logic within the contract's "Purchase Bundler" function, which failed to properly verify the caller's legitimacy. This oversight allowed the attacker to trigger transfers and extract assets from multiple users. Blockchain data indicates that 78 NFTs were drained through approximately 40 transactions. Stolen items included 44 Art Blocks tokens, 10 Doodles, and two NFTs from Beeple's "Spring Collection". Following the exploit, Gondi instructed users not to repay loans until the platform's security was confirmed. They also advised users to revoke approvals for affected contracts via Revoke.cash and to avoid initiating new activity on the protocol. Several members of the NFT community helped recover and return NFTs, including Aluminum Gazer, Servant of the Muse, Doodle, and Lil Pudgy. Gondi is a decentralized, non-custodial NFT lending protocol engineered to create an efficient NFT credit market. It allows lenders to refinance existing loans and borrowers to get better terms on outstanding loans. The platform's core operations, including buying, selling, listing, bidding, and trading, are reportedly safe to resume.