Real-time token lending platform Gondi has pledged to compensate users affected by Monday’s exploit, in which an attacker stole nearly $230,000 worth of NFTs from the protocol.
Conclusion
- Gondi confirmed the exploit in its Sell and Return contract, which allowed an attacker to steal approximately $230,000 worth of protected NFTs, prompting the platform to disable the feature.
- The protocol states that affected users will be compensated by purchasing comparable NFTs from the same collections.
According to a post-event update, Gondi confirmed that exploiting its “Sale and Redemption Agreement” allowed an attacker to withdraw approximately $230,000 worth of protected NFTs from the protocol. The contract allows borrowers to sell pledged NFTs and then repay outstanding loans on the platform.
An updated version of the contract was introduced on February 20, but Gondi did not explain how the vulnerability was exploited.
The exploit did not affect any other part of the protocol, and the platform suspended the contract as it worked on a fix while other services were running.
“All users who interacted with and were affected by this contract have been contacted directly by our team,” Gondi wrote. In a subsequent update, the protocol said it intends to compensate affected users by purchasing comparable items from the same collection.
“Although not of the same piece, we believe this is a fair and meaningful decision and will agree directly with each owner,” it added.
Gondi was then reviewed by the Blockaid team and an independent auditor who concluded that the protocol was safe to use.
According to Blockaid, the attacker started selling some of the stolen NFTs after the exploit. As of the latest update, Gondi said the attacker’s wallet still contained some of the stolen NFTs, and the rest were sold to “innocent buyers who had no knowledge of the exploit.”
“We contacted each of them directly and asked for their help in returning the items to their rightful owners,” he added.
Meanwhile, at least four NFTs have been recovered and returned by the NFT community, including Aluminum Gazer, Muse Servant, Doodle, and Lil Pudgy.
The platform said it will use its protocol payment to buy restored items and compensate affected users.
Gondi’s exploit is the second attack in two weeks. As previously reported by crypto.news, the Bitcoin-focused DeFi platform Solv Protocol was used late last week, allowing a hacker to drain approximately $2.7 million from one of its token vaults.
