NFT lending platform Gondi has contained a security exploit that allowed an attacker to drain dozens of NFTs from multiple users, with total losses estimated at roughly $230,000, according to Blockaid. The incident stemmed from a newly deployed version of Gondi’s Sell & Repay contract, which is part of the platform’s lending system.

The Sell & Repay function lets borrowers sell NFTs held as collateral while automatically repaying the associated loan in a single bundled transaction. The contract version deployed on February 20 introduced a logic flaw in the “Purchase Bundler” function. This function failed to verify whether the caller was the legitimate owner or authorized borrower of the NFT. The oversight allowed the attacker to trigger transfers and extract assets from multiple users.

The scope of the exploit

Blockchain data from Etherscan shows 78 NFTs were drained across roughly 40 transactions to a wallet now labeled “GONDI Exploiter.” Notable stolen assets include:

  • 44 Art Blocks tokens
  • 10 Doodles
  • 2 Beeple “Spring Collection” NFTs
  • Several other high-value and unique 1/1 artworks

The total number of affected users remains undisclosed.

Gondi confirmed that NFTs tied to active loans were never at risk. The exploit specifically targeted the bundled sale-and-repay function, leaving other marketplace operations intact.

“The Sell & Repay feature remains disabled while we deploy a fix. All other functionality is fully operational,” Gondi said in a platform update.

Compensation efforts underway

Gondi has initiated a three-pronged approach to restore lost assets and compensate victims.

  1. Contacting affected users: The team reached out directly to wallets that interacted with the vulnerable contract.
  2. Recovering stolen NFTs: Some stolen tokens were purchased by buyers unaware of the exploit. Gondi has successfully coordinated returns of these items to their original owners.
  3. Repurchasing comparable items: For NFTs that cannot be recovered, the protocol is using collected fees to buy similar items from 1/1-of-X collections.
“While not the exact same piece, we believe this is a fair and meaningful resolution and are coordinating directly with each owner,” the team wrote.

Gondi is engaged in active discussions with users who lost unique one-of-one NFTs to develop alternative compensation solutions.

Security firm Blockaid and an independent auditor reviewed the protocol after the incident. The platform emphasized that all other functions, including buying, selling, listing, bidding, trading, refinancing loans, and starting new loans, are safe to resume.

Lessons for NFT lending platforms

Gondi’s experience illustrates the inherent risks of complex smart contract logic in NFT lending protocols. Bundled transactions that combine collateral sale and loan repayment can create vulnerabilities if ownership verification or authorization checks fail.

Active reimbursement strategies can help maintain user trust after exploits, but they rarely eliminate reputational damage. Gondi’s swift response, combined with targeted restitution and independent auditing, sets a standard for operational resilience in decentralized NFT finance.

The platform continues to monitor wallet activity and coordinate with affected users, signaling a commitment to transparency while reinforcing the importance of rigorous contract auditing in the NFT lending ecosystem.

Top 17 Most Expensive NFTs Ever Sold | HODL FM NEWS
A detailed look at the 17 most expensive NFTs ever sold, examining record-breaking prices, notable creators, and defining moments in digital art history.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketAlex Shepel
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.