A targeted exploit on a niche lending feature highlights how peripheral contracts often carry more risk than core vaults. The NFT lending protocol Gondi suffered a loss of approximately $230,000 after an attacker manipulated a recently updated "Sell & Repay" mechanism.
The latest confirmed developments
The breach occurred shortly after the protocol deployed an updated version of the repayment contract on Feb 20. According to data cited by Cointelegraph, the attacker managed to drain 78 NFTs before the vulnerability was contained. The platform confirmed that while the specific interaction contract was compromised, the core protocol components remained secure.
Operators have stated they will compensate affected users with comparable NFTs, effectively covering the loss from the project's own reserves. This response mitigates the immediate economic damage to lenders but relies on the protocol’s discretionary treasury rather than on-chain guarantees.
Why this mattered beyond the headline
This incident underscores a recurring structural weakness in DeFi lending: the attack surface often expands with user convenience features. The "Sell & Repay" contract was designed to streamline the liquidation and repayment process, allowing borrowers to exit positions efficiently. However, by coupling collateral access with complex trading logic, the protocol introduced a vector that bypassed standard vault protections.
For lenders, this changes the risk calculation. A protocol can have an impeccable core vault audit, yet still lose collateral through a peripheral "helper" contract. The security perimeter is defined by the weakest permissioned contract, not the strongest one.
Where lender risk sits
The exploit reveals that collateral protection is compromised when repayment functionality is not treated with the same rigor as custody. While Gondi's core solvency was not threatened, the specific assets backing active loans were removed without repayment occurring in the intended manner. The fact that proof-of-solvency was maintained at the protocol level is distinct from the reality that specific lenders lost their underlying security.
We observe three specific lessons from this mechanism failure:
- Repayment logic is a high-value target: Attackers target the transition points where assets move between states (e.g., from "locked" to "sold") rather than static vaults.
- Update frequency carries risk: The vulnerability appeared in a contract updated just days prior, reinforcing that fresh code is the primary source of operational risk.
- Recovery is manual: The user protection here depended on a manual promise of compensation, not an automated insurance fund.
What Assetify would watch next
This event reinforces that audit scopes for lending protocols must explicitly cover peripheral interaction contracts. The distinction between "core" and "feature" code is irrelevant to a lender if both have permission to move assets. Future due diligence on NFT lending platforms should verify whether convenience modules like "Sell & Repay" share the same security clearance and audit depth as the primary lending pools.
