Gondi NFT Platform Confirms $230,000 Contract Exploit, Moves to Make Users Whole

NFT lending protocol Gondi has contained an exploit that drained approximately 78 NFTs valued at roughly $230,000 from multiple users, stemming from a flawed smart contract upgrade deployed on February 20, 2026.

The team has disabled the vulnerable Sell & Repay feature while confirming that all other platform functions remain secure, and is actively working to reimburse affected users through direct restitution, asset recovery, and compensation using protocol fees.

Exploit Details and Technical Cause

Vulnerable Contract Upgrade

The exploit was connected to a newly deployed version of Gondi’s Sell & Repay contract, a component of the platform’s NFT lending protocol that allows borrowers to sell escrowed NFTs and automatically repay loans in a bundled transaction. The updated contract was deployed on February 20, 2026.

Security firm Blockaid identified that faulty logic was introduced in the contract’s “Purchase Bundler” function, which failed to properly verify whether a contract caller was the legitimate owner or borrower of an NFT involved in the transaction. This oversight enabled an attacker to trigger unauthorized transfers and extract assets from multiple users.

Scope of the Attack

According to Etherscan data, approximately 78 NFTs were drained across roughly 40 transactions and routed to a wallet now labeled as “GONDI Exploiter.” The stolen assets included 44 Art Blocks tokens, 10 Doodles, two NFTs from Beeple’s “Spring Collection,” and other valuable pieces from prominent collections.

NFT collector tinoch estimated that one affected user alone lost approximately 55 ETH, worth about $108,000 at the time of observation. The total number of victims has not been publicly disclosed, though multiple wallets were impacted.

Platform Response and Remediation

Immediate Actions

Gondi moved quickly to disable the affected Sell & Repay feature after identifying the issue. The team stated that the feature remains offline while a fix is deployed and verified. All other platform functionality, including buying, selling, listing, bidding, trading, refinancing loans, and starting new loans, was confirmed to be fully operational and safe to resume.

The protocol emphasized that NFTs tied to active loans were never at risk during the incident. The exploit was limited to the specific contract function responsible for bundled sales and repayments, leaving other parts of the marketplace untouched.

Security Review

Since the attack, security firm Blockaid and an independent auditor have reviewed the protocol. Gondi reversed an earlier warning that had cautioned users against interacting with the platform, confirming that the broader protocol was not affected and all activity is safe to resume.

User Restitution Efforts

Direct Reimbursement

Gondi has begun working directly with impacted users to restore lost assets or provide compensation where recovery is not possible. The team has reached out to wallets that interacted with the vulnerable contract to initiate restitution processes.

In several cases, the project has tracked down NFTs that were purchased by buyers who were apparently unaware that the tokens originated from the exploit. Those items are being returned to their original owners where possible.

Compensation Mechanisms

The protocol has started using collected platform fees to purchase “comparable items” from similar collections to offset losses for affected users when identical NFTs cannot be recovered. The team stated: “While not the exact same piece, we believe this is a fair and meaningful resolution and are coordinating directly with each owner.”

For cases involving unique one-of-one NFTs that cannot be easily replaced, Gondi indicated it is in active discussions with affected collectors to determine alternative solutions.

Platform Context and Risk Profile

Gondi’s Lending Model

Gondi operates as a decentralized, non-custodial NFT liquidity marketplace and lending protocol. Users can post NFTs as collateral for loans, lend assets to earn interest, and refinance their NFT positions. The platform enables borrowers to access liquidity without selling their digital assets outright.

The Sell & Repay feature in particular introduces additional complexity because it bundles multiple actions into a single transaction—selling collateral and repaying the loan simultaneously. When the ownership validation step failed, attackers were able to exploit that automation.

Smart Contract Risks

Systems like Gondi require complex smart contracts that coordinate collateral management, loan issuance, repayments, and asset transfers. Even small logic errors in these contracts can create openings for attackers, highlighting the elevated risk profile of NFT lending platforms where contract upgrades modify asset ownership checks or transaction authorization logic.

FAQ: Gondi Exploit

Q: What caused the Gondi exploit?

A: The exploit stemmed from faulty logic introduced in a February 20 upgrade to the Sell & Repay contract. The “Purchase Bundler” function failed to properly verify whether the caller was the legitimate owner or borrower of an NFT, allowing an attacker to trigger unauthorized transfers of approximately 78 NFTs valued at $230,000.

Q: How much was lost and who was affected?

A: Approximately 78 NFTs were drained across 40 transactions, including assets from Art Blocks, Doodles, and Beeple collections. One affected user lost approximately 55 ETH worth $108,000. The total number of victims has not been disclosed, but multiple wallets were impacted.

Q: What is Gondi doing to compensate victims?

A: Gondi is directly reimbursing affected users, returning stolen NFTs tracked down from unaware buyers, and using protocol fees to purchase comparable items from similar collections when identical NFTs cannot be recovered. Discussions are ongoing for unique one-of-one pieces.

Q: Is the Gondi platform safe to use now?

A: The vulnerable Sell & Repay feature remains disabled pending a fix, but all other platform functions including buying, selling, listing, bidding, trading, and loan activities are confirmed safe to resume. Security firms Blockaid and an independent auditor have reviewed the protocol since the attack.