Audit log

Every state-changing event for Gondi V3: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-29 02:41:10Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 422,849,408

   sig

   2DuX9vdrp37D…UkQvB6fvcopyexplorer ↗

   hash

   9DKwA5bjzq2J…HxxmQ7Mkcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (6476 B) ▸

   {"actor":"system:backfill","investigation_id":"d3bfd6f1-187e-4fa1-9d62-4dd56f370ab5","kind":"publish","page_slug":"gondi-v3","published_at":"2026-05-29T02:41:10.041Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Gondi V3","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.coindesk.com/web3/2023/07/11/nft-lender-gondi-goes-live-raises-53m-round-led-by-hackvc","type":"other","url":""},{"credibility":3,"name":"https://www.newswire.com/news/gondi-debuts-full-stack-nft-liquidity-marketplace-now-supports-erc-20-22600295","type":"other","url":""},{"credibility":3,"name":"https://docs.gondi.xyz/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cointelegraph.com/news/nft-platform-gondi-secure-after-230k-hack","type":"other","url":""},{"credibility":3,"name":"https://dev.to/cryip/gondi-nft-lending-platform-hack-a-detailed-report-489c","type":"other","url":""},{"credibility":3,"name":"https://www.theblock.co/post/392909/nft-platform-gondi-moves-users-whole-230000-contract-exploit","type":"other","url":""},{"credibility":3,"name":"https://blog.autosec.dev/security-events/NFT-lending-agreement-Gondi-was-hacked/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cointelegraph.com/news/nft-platform-gondi-secure-after-230k-hack","type":"other","url":""},{"credibility":3,"name":"https://crypto.news/nft-platform-gondi-to-compensate-users-affected-in-250k-smart-contract-exploit/","type":"other","url":""},{"credibility":3,"name":"https://cryptoadventure.com/gondi-exploit-puts-nft-loan-approvals-and-asset-recovery-in-focus/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.theblock.co/post/392909/nft-platform-gondi-moves-users-whole-230000-contract-exploit","type":"other","url":""},{"credibility":3,"name":"https://crypto.news/nft-platform-gondi-to-compensate-users-affected-in-250k-smart-contract-exploit/","type":"other","url":""},{"credibility":3,"name":"https://www.allcryptocurrencydaily.com/latestnews/2026/03/10/nft-platform-gondi-vows-restitution-after-230000-exploit/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.gondi.xyz/gondi-v3/security-and-audits","type":"other","url":""},{"credibility":3,"name":"https://code4rena.com/audits/2024-04-gondi-invitational","type":"other","url":""},{"credibility":3,"name":"https://code4rena.com/audits/2024-05-gondi-mitigation-review","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://dev.to/cryip/gondi-nft-lending-platform-hack-a-detailed-report-489c","type":"other","url":""},{"credibility":3,"name":"https://cryptoadventure.com/gondi-exploit-puts-nft-loan-approvals-and-asset-recovery-in-focus/","type":"other","url":""},{"credibility":3,"name":"https://blog.autosec.dev/security-events/NFT-lending-agreement-Gondi-was-hacked/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://defillama.com/protocol/gondi","type":"other","url":""},{"credibility":3,"name":"https://www.nftgators.com/nft-lending-app-gondi-hits-record-34m-in-tvl-following-v3-rollout/","type":"other","url":""},{"credibility":3,"name":"https://www.newswire.com/news/gondi-debuts-full-stack-nft-liquidity-marketplace-now-supports-erc-20-22600295","type":"other","url":""}]}],"sources_used":[],"summary":"Gondi V3 is a decentralized, non-custodial NFT lending and borrowing protocol on Ethereum developed by Florida Street, which launched in July 2023 and raised a $5.35 million seed round from Hack.vc, Dragonfly Capital, and Pantera Capital. On March 9, 2026, the protocol suffered a smart contract exploit in its newly deployed Purchase Bundler component, resulting in the theft of approximately 78 NFTs valued at roughly $230,000 from users who had granted approvals to the vulnerable contract. The team disabled the affected feature, pledged full restitution using protocol fees, and engaged security firm Blockaid for a post-incident review; platform operations for other functions resumed the following day.","timeline":[{"date":"2023-07-11","event":"Gondi NFT lending protocol launches publicly on Ethereum; Florida Street announces $5.35 million seed round co-led by Hack.vc and Foundation Capital with participation from Dragonfly Capital and Pantera Capital.","source":""},{"date":"2024-04-08","event":"Code4rena (Zenith) conducts a Gondi Invitational audit with $74,600 USDC in prizes, reviewing V3 smart contracts.","source":""},{"date":"2024-05-14","event":"Code4rena conducts a Gondi Mitigation Review audit, identifying issues including tranche accounting errors, division ordering bugs, and access control gaps; mitigation review period runs through May 24, 2024.","source":""},{"date":"2026-02-20","event":"Gondi deploys an updated version of the Sell & Repay contract containing the Purchase Bundler component with a missing caller-verification check in the buy function.","source":""},{"date":"2026-03-09","event":"At approximately 8:12 AM UTC, an attacker executes approximately 40 transactions exploiting the Purchase Bundler's missing msg.sender check, draining 78 NFTs worth approximately $230,000 from users with active approvals but no outstanding loans. Blockaid detects and publicly discloses the attack. Stolen collections include Art Blocks, Doodles, SuperRare, and Beeple works.","source":""},{"date":"2026-03-09","event":"Gondi disables the Sell & Repay functionality and advises all users to revoke approvals for affected contracts via Revoke.cash. The team confirms active loan collateral was not affected.","source":""},{"date":"2026-03-10","event":"Gondi platform resumes operations for buying, selling, trading, and lending functions with the compromised contract excluded. Blockaid and an independent auditor review remaining contracts and clear them as safe. Gondi pledges restitution via protocol fee-funded comparable NFT purchases.","source":""},{"date":"2026-03-10","event":"Community members return several NFTs voluntarily, including Doodle, Aluminum Gazer, Lil Pudgy, and Servant of the Muse tokens. The largest single victim's loss is identified as approximately $108,000.","source":""}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 33d494c1-b8be-496d-90e6-c21db5c75c69copy
2. #2reviewby reviewerreviewer

   2026-06-10 14:19:19Z
   Score: 52 → 52 (no score change)
   The page is broadly accurate and well-sourced. The three partially-supported findings concern: (1) the summary omitting Foundation Capital as co-lead of the seed round (correctly named in the timeline, creating an internal inconsistency); (2) the '78 NFTs stolen' figure, which is the commonly reported number but likely reflects double-counting of transfer events — technical on-chain analysis suggests 39 unique NFTs; and (3) the '~40 transactions' claim, which secondary sources repeat but primary on-chain data (DarkNavy) indicates was a single transaction with 81 executeSell calls. No claims were found to be outright disputed or unverifiable, and no link rot was detected among sources that could be fetched.
   anchoranchored

   chain

   ●mainnet-betaslot 425,562,420

   sig

   4zUdPZ1LASLa…LjPpTGYncopyexplorer ↗

   hash

   5PKpJ1SFsSf1…3583rqS9copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1059 B) ▸

   {"actor":"reviewer","decided_at":"2026-06-10T14:19:19.631Z","decision":"review","investigation_id":"d3bfd6f1-187e-4fa1-9d62-4dd56f370ab5","new_score":52,"page_slug":"gondi-v3","prev_score":52,"reason":"The page is broadly accurate and well-sourced. The three partially-supported findings concern: (1) the summary omitting Foundation Capital as co-lead of the seed round (correctly named in the timeline, creating an internal inconsistency); (2) the '78 NFTs stolen' figure, which is the commonly reported number but likely reflects double-counting of transfer events — technical on-chain analysis suggests 39 unique NFTs; and (3) the '~40 transactions' claim, which secondary sources repeat but primary on-chain data (DarkNavy) indicates was a single transaction with 81 executeSell calls. No claims were found to be outright disputed or unverifiable, and no link rot was detected among sources that could be fetched.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 2136dcc3-4587-4003-bb91-f19d2fd2201ecopy
3. #3review approveby judgejudge

   2026-06-10 14:19:19Z
   Score: 52 → 52 (no score change)
   The reviewer confirmed 15 of 19 claims outright and found zero disputed claims, placing disputed_pct at 0.0%. The three partially-supported findings (claim_findings[1], claim_findings[4], claim_findings[5]) concern secondary-source precision — the summary omitting Foundation Capital as co-lead (correctly named in the timeline), the widely-cited '78 NFTs' figure which likely reflects double-counted transfer events rather than unique NFTs stolen, and the '~40 transactions' characterization versus primary on-chain evidence of a single transaction. None of these affect the page's core factual assertions about the exploit, its scope, or the team's response. The high-priority coverage gap on on-chain forensics recommends editorial expansion to reconcile figures, not retraction. Reviewer confidence of 0.82 supports a clear approve.
   anchoranchored

   chain

   ●mainnet-betaslot 425,562,428

   sig

   2W1s8WrbAa7Z…M7Qvu14Dcopyexplorer ↗

   hash

   GZnDe2ixH54D…Ybw96Y9wcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1185 B) ▸

   {"actor":"judge","decided_at":"2026-06-10T14:19:19.631Z","decision":"review_approve","investigation_id":"d3bfd6f1-187e-4fa1-9d62-4dd56f370ab5","new_score":52,"page_slug":"gondi-v3","prev_score":52,"reason":"The reviewer confirmed 15 of 19 claims outright and found zero disputed claims, placing disputed_pct at 0.0%. The three partially-supported findings (claim_findings[1], claim_findings[4], claim_findings[5]) concern secondary-source precision — the summary omitting Foundation Capital as co-lead (correctly named in the timeline), the widely-cited '78 NFTs' figure which likely reflects double-counted transfer events rather than unique NFTs stolen, and the '~40 transactions' characterization versus primary on-chain evidence of a single transaction. None of these affect the page's core factual assertions about the exploit, its scope, or the team's response. The high-priority coverage gap on on-chain forensics recommends editorial expansion to reconcile figures, not retraction. Reviewer confidence of 0.82 supports a clear approve.","score_delta":0,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision d2c4ec86-ebcf-471a-8fec-0d406883a8a1copy