NFT lending protocol Gondi disclosed an exploit that led to the theft of roughly $230,000 in digital assets. Attackers moved about 78 NFTs across nearly 40 transactions by taking advantage of a logical weakness in Gondi’s Purchase Bundler contract during the Sell & Repay flow.
The incident did not center on a failure in loan collateral validation. Instead, it exposed the standing approval risk created when user wallets had already granted permissions to the contract, highlighting a permissions-management weakness with implications for lenders, treasuries, and custodial operations.
✅ UPDATE: Exploit Contained
We can now confirm the situation is fully contained and no further NFTs are at risk.
What our investigation found:
• A limited number of NFTs were affected
• The exploit was isolated to the Sell & Repay contract deployed on February 20
• All…— GONDI (@gondixyz) March 9, 2026
How the exploit worked
Security reviews indicated that the Purchase Bundler contract did not properly validate caller authorization. SellAndRepayExecuted events with empty loan identifiers created a path for unauthorized transfers, allowing the attacker to move NFTs that were not actively being used as collateral but had previously been approved.
Gondi moved quickly to contain the issue. The protocol disabled the Sell & Repay function tied to the affected contract address, 0xc10472ac1bf9f2e58ff2c83596b4535334c90814, and urged users to revoke approvals through tools such as Revoke.cash. Early blockchain monitoring and initial public alerts came from third-party security teams, including GoPlus Security.
The losses stretched across several high-value collections. Reported stolen assets included 44 Art Blocks pieces, 10 Doodles, two Bored Ape Yacht Club NFTs, including #1502, as well as works from KnownOrigin, LilPudgys, and SuperRare. Gondi also said independent security firms, including Blockaid and another auditor, reviewed conditions after the incident and confirmed that protocol security had been restored.
Recovery efforts and broader risk implications
In response, the team combined immediate containment with a broader remediation effort. That response included disabling the vulnerable function, telling users to revoke approvals, engaging external auditors, contacting affected users, attempting to recover NFTs acquired by secondary buyers, purchasing comparable assets for compensation, and negotiating solutions for unique 1/1 pieces.
Gondi said recovery operations were already under way and committed to reimbursement pathways for impacted wallets. The team also suspended related repayment activity until all required security validations had been completed, signaling that operational continuity would remain secondary to containment and review.
The exploit also underscored a broader structural risk in NFT-backed lending. Approval hygiene and contract call validation proved to be just as critical as private key security, especially for platforms, node operators, and integrators that need to monitor token approval flows and flag unusual SellAndRepay event patterns.
For market participants and institutional treasuries, the near-term impact is both operational and market-based. The incident points to temporary pressure on liquidity in affected collections and renewed counterparty risk for platforms that maintain approval pathways connected to user wallets. The extent to which recovery and reimbursement efforts succeed will likely influence short-term availability and price discovery for the stolen NFTs.
Gondi’s engagement with external auditors and its statement that security has been restored should reduce the chance of the same exploit recurring through the same vector. Even so, continued auditor transparency and a formal post-mortem detailing contract validation failures will remain essential for oracle, custodian, and lending integrations evaluating operational risk and resource allocation around Gondi.