The exploit targeted the Sell & Repay contract on Ethereum, allowing the attacker to take a limited number of NFTs that were not tied to active loans.
According to the Gondi team, the vulnerable function has been temporarily disabled until a patch is released. The protocol has successfully completed emergency audits conducted by Blockaid and independent experts. All other smart contracts, including those responsible for loans, trading, listings, and bidding, were not affected and continue to operate normally.
The team also strongly recommended that users revoke previously granted approvals to the compromised contracts through the revoke.cash service.
GoPlusSecurity flagged the incident and identified the addresses of the attacker and the compromised contracts. The exploit used approvals on Purchase Bundle to drain the tokens.
The list of stolen assets includes rare tokens such as Aluminum Gazer, Servant of the Muse, Doodle, and Lil Pudgy. Gondi managed to contact good-faith buyers who had purchased the stolen NFTs on the secondary market without knowing about the incident. The collectors cooperated and voluntarily returned the tokens to the platform.
To compensate for the NFTs that still remain in the hacker’s wallet, the protocol is buying back equivalent tokens from collection series and is conducting direct negotiations to recover unique 1/1 artworks.
The compensation is being funded from Gondi’s protocol fees. The investigation is ongoing.