Gondi NFT Lending Protocol Exploit Drains $230K in Digital Collectibles
A smart contract flaw in the NFT lending platform Gondi enabled attackers to siphon off dozens of digital collectibles valued at roughly $230,000, prompting the protocol to launch restitution efforts for affected users while deploying fixes to its lending infrastructure.
The exploit targeted a component of Gondi’s NFT loan system designed to automate the sale of collateralized assets and repay outstanding debt in a single transaction. Security analysts and blockchain records show the attacker drained 78 NFTs across around 40 transactions before the vulnerability was contained.
The incident underscores persistent security challenges in decentralized finance applications that combine lending mechanisms with NFT marketplaces.
Contract Logic Error Opened the Door to Unauthorized Transfers
The exploit appears to trace back to a new version of Gondi’s Sell & Repay contract released on Feb. 20, which introduced faulty logic within a function known internally as the Purchase Bundler.
That function is intended to bundle NFT sales with loan repayments, enabling borrowers to sell escrowed NFTs and automatically settle outstanding balances in a single transaction.
However, the flawed logic failed to properly verify whether the caller initiating a transaction was the legitimate borrower or owner of the NFT used as collateral.
This oversight created a pathway for attackers to trigger unauthorized transfers.
Blockchain records on Etherscan show the exploiter consolidated the stolen assets into a wallet now labeled GONDI Exploiter, with the transactions unfolding across roughly 40 transfers.
Among the stolen assets were several high-value NFTs, including:
- 44 Art Blocks tokens
- 10 Doodles NFTs
- Two works from Beeple’s “Spring Collection”
- Additional collectible assets from other NFT series
Security firm Blockaid estimates the total value of the drained assets at approximately $230,000 at the time of the exploit.
Individual Collectors Absorb Significant Losses
Early blockchain analysis suggests some collectors experienced substantial losses.
NFT collector tinoch estimated that one victim alone lost about 55 ETH, valued at roughly $108,000 when the exploit was observed.
The theft highlights the financial exposure tied to NFT-backed lending markets, where high-value collectibles can be temporarily locked in escrow during borrowing arrangements.
When vulnerabilities arise in those systems, collateralized assets can become prime targets.
Platform Response Focuses on Restitution and Contract Repair
Gondi disabled the affected Sell & Repay feature shortly after identifying the exploit and is currently deploying a patched version of the contract.
According to the platform’s latest update, the vulnerability was isolated to that single component of the protocol.
Other marketplace and lending functions—including buying, listing, bidding, trading, loan origination, refinancing, and repayment—remained unaffected throughout the incident.
Security firm Blockaid and an independent auditor have reviewed the protocol since the exploit was discovered, according to the project team.
The platform initially urged users to avoid interacting with the protocol while investigators assessed the issue. That warning has since been lifted after the vulnerability was contained.
Efforts Underway to Compensate Affected Users
Gondi has begun compensating victims through several channels while tracing stolen assets across the blockchain.
The protocol confirmed it has already contacted users who interacted with the vulnerable contract and is working to return NFTs that were purchased by secondary buyers who may not have known the assets originated from the exploit.
For assets that cannot be recovered, the platform is deploying an alternative approach.
Protocol fees are being used to purchase comparable NFTs from similar collections to replace lost assets.
The team acknowledged that replacement items may not perfectly match the original pieces—particularly in the case of rare or one-of-one artworks—but said direct coordination with collectors is ongoing to determine fair compensation.
Discussions are also underway with parties involved in trades of unique NFTs that cannot be easily substituted.
NFT Lending Protocols Face Renewed Security Scrutiny
The exploit adds to a growing list of vulnerabilities affecting decentralized finance applications tied to NFT liquidity markets.
Protocols such as Gondi enable collectors to unlock capital by pledging NFTs as collateral for loans, allowing lenders to earn interest while borrowers maintain exposure to their digital assets.
But combining NFT marketplaces with complex lending contracts introduces additional layers of technical risk.
Even small errors in smart contract verification logic can create opportunities for attackers to manipulate transactions involving valuable digital collectibles.
Security specialists increasingly warn that NFT lending protocols must adopt more rigorous contract auditing and monitoring procedures as the sector grows.
DeFi-NFT Infrastructure Continues to Mature
Despite the incident, Gondi maintains that core platform operations remain secure and that users can resume normal activity across its lending and trading functions.
The project operates as a non-custodial NFT liquidity marketplace, enabling users to:
- Use NFTs as collateral for loans
- Provide liquidity by lending assets
- Earn interest on NFT-backed loans
- Refinance loan positions within the protocol
As NFT finance tools evolve, incidents like the Gondi exploit highlight the importance of security reviews, real-time monitoring, and transparent restitution mechanisms.
The protocol’s ability to compensate affected users may also shape how market participants assess risk in decentralized NFT lending systems going forward.
Source: https://www.theblock.co/post/392909/nft-platform-gondi-moves-users-whole-230000-contract-exploit