- Trending
- Comments
- Latest
An attacker exploited a smart contract vulnerability in the Gondi NFT lending protocol on March 9, 2026, draining approximately 78 NFTs worth $230,000 across 40 transactions.
The flaw, introduced in a February 20 contract upgrade, failed to verify transaction initiators in the ‘Sell & Repay’ feature, allowing the attacker to abuse pre-existing contract approvals rather than steal private keys.
Gondi has disabled the vulnerable feature and pledged to compensate users through NFT recovery, secondary market purchases, and direct restitution.
The stolen assets included valuable items from well-known collections such as Art Blocks, Doodles, and artworks by Beeple.
Security researchers and industry observers say the incident shows ongoing risks in decentralized finance (DeFi) and NFT lending platforms, where vulnerabilities in smart contracts can expose users’ assets even when private keys remain secure.
The breach originated from a flawed upgrade to Gondi’s “Sell & Repay” smart contract, a feature that allows borrowers to sell escrowed NFTs and automatically repay loans in a bundled transaction.
The update, deployed on February 20, introduced faulty logic within the contract’s “Purchase Bundler” function.
The flaw failed to properly verify whether the caller initiating the transaction was the legitimate owner or borrower of the NFT, effectively allowing an attacker to trigger unauthorized transfers from wallets that had previously approved the contract.
Blockchain security firm Blockaid was among the first to estimate the financial impact of the exploit, calculating that the drained NFTs were worth about $230,000 at the time of the attack.
“The hacker exploited the ‘Sell & Repay’ contract, which lets borrowers sell escrowed NFTs and automatically repay loans on the platform.”
Gondi team, in a statement shared on X.
Importantly, investigators say the incident did not involve stolen private keys. Instead, the attacker abused pre-existing contract approvals, a common mechanism in DeFi applications that allows smart contracts to manage tokens or NFTs on behalf of users.
Experts say this type of vulnerability demonstrates how permissioned smart-contract interactions can create hidden risk for investors who frequently interact with decentralized protocols.
In response to the incident, Gondi immediately disabled the compromised Sell & Repay feature while keeping the rest of the platform operational.
According to the company, other functions including NFT trading, listing, bidding, and loan refinancing were not affected by the exploit.
“The Sell & Repay feature remains disabled while we deploy a fix. All other functionality is fully operational.”
Gondi team, platform update.
The company also announced that its immediate priority is to compensate users whose assets were lost during the attack.
The compensation plan includes multiple approaches:
Recovering stolen NFTs where possible
Returning NFTs purchased unknowingly by secondary buyers
Using protocol fees to buy comparable NFTs for affected users
According to Gondi, some NFTs that were sold on secondary markets have already been recovered with the help of community members and returned to their original owners.
For rare or one-of-one NFTs that cannot be easily replaced, the platform says it is negotiating directly with affected owners to determine appropriate restitution.
Following the attack, Gondi worked with security firm Blockaid and an independent auditor to review the protocol’s infrastructure.
The platform says the system has now been assessed as safe to use, although the vulnerable contract remains disabled until a permanent fix is deployed.
Despite the relatively modest financial damage compared to larger DeFi exploits, analysts warn the incident could affect confidence in NFT-backed lending markets.
The theft also removed several high-value NFTs from the protocol’s liquidity pool, which could temporarily affect collateral availability and lending activity.
Industry observers say the exploit underscores a recurring challenge in decentralized finance: even audited smart contracts can contain logic errors that attackers exploit within minutes.
Security experts recommend that investors regularly review and revoke smart-contract approvals in their wallets, especially after interacting with DeFi protocols.
Tools such as Revoke.cash can help users check whether their wallets remain exposed to risky permissions following an exploit.
For investors active in NFT lending markets, the Gondi exploit shows the delicate balance between innovation and security.
Platforms offering complex financial features such as NFT-collateralized loans, often rely on sophisticated smart contracts that can introduce unforeseen vulnerabilities.
While Gondi’s decision to compensate users may help restore trust, the incident serves as another reminder that DeFi remains an evolving ecosystem where both opportunities and risks continue to grow.
As NFT-based finance expands, industry leaders say stronger auditing practices, real-time monitoring, and improved permission management will be critical to protecting users’ assets and maintaining confidence in decentralized platforms.
Copyright © 2025 - The Bit Gazette.
