Security Breach: Gondi Hit by Smart Contract Exploit
A leading NFT-backed lending platform, Gondi, has reported a critical security incident. Attackers exploited a vulnerability in the 'Sell & Repay' smart contract, resulting in the unauthorized transfer of 78 NFTs valued at approximately $230,000 at the time of the breach.
How the Attack Unfolded: Logic Flaw Leveraged
On-chain analysis shows the exploit occurred around 08:12 UTC on Monday. The attacker manipulated the contract’s execution flow, bypassing core authorization checks. Although an upgraded version was deployed on February 20, the legacy contract remained active—creating a backdoor for the attack.
Immediate Response: Contract Disabled and Users Compensated
Gondi swiftly disabled the compromised contract and reassured users that the rest of the platform remains secure. The team is now conducting a full forensic review with third-party security firms and has initiated a compensation process for affected users to restore confidence.
Broader Implications: Security in DeFi Can’t Be One-Time
This incident highlights a growing concern in decentralized finance—legacy contracts can become silent liabilities. Even minor oversights in logic can lead to significant losses. For developers, it underscores the need for proactive deactivation of outdated code. For users, staying updated on contract changes is crucial.
- Number of NFTs stolen: 78
- Estimated loss: ~$230,000
- Vulnerable contract: Permanently disabled
- Updated contract: Live and secured
- Platform integrity: Other systems unaffected
As DeFi evolves, resilience and transparency during crises will define which platforms earn long-term trust. Gondi’s handling may set a precedent for responsible post-exploit response.