NFT lending platform Gondi is working to compensate users following a smart contract exploit that resulted in the loss of dozens of digital collectibles valued at roughly $230,000. The vulnerability was linked to a recently deployed version of the protocol’s Sell & Repay contract, which enables borrowers to sell escrowed NFTs and repay loans in a single transaction.
According to blockchain data, the exploit allowed an attacker to transfer 78 NFTs across about 40 transactions. The issue stemmed from faulty logic in a function known as the Purchase Bundler, which failed to properly verify whether the caller was the legitimate owner or borrower of an NFT. The affected assets included collections such as Art Blocks, Doodles, and pieces from Beeple’s Spring Collection.
Gondi said the Sell & Repay feature has been temporarily disabled while developers deploy a fix and conduct additional audits. The platform stated that other functions, including trading, bidding, and loan activity, were not impacted and that it is actively working to reimburse affected users through direct recovery efforts and market purchases of comparable assets.
