Once upon a time, we had a machine that wound up with a default route that pointed straight to the local network, basically what you'd get if you did route add default dev eth0.

(Disclaimer: I have no idea if your system would actually accept that route command or if it would demand a gateway.)

That this worked to some degree is not too surprising in retrospect; there actually is a straightforward meaning to this, namely to arp for all destinations on the local Ethernet, and that's what our machine did. The weirdness comes in what happened next: the machine could still ping another system that was on a completely separate subnet on the same physical network.

On the one hand this makes perfect sense: the machine was arp'ing for the other system's Ethernet address and then just sending the packets to it. On the other hand, this makes no sense: how was the other system replying to those ping packets? The other system was not on the first subnet and had no route to it, so in theory it should have dropped its ping replies as unroutable; instead it just shoveled them back on to the Ethernet.

(My best guess has to do with the first machine being present in the other system's arp cache, but I'm not completely convinced.)