NFT Lender Gondi Secured After $230K Exploit
NFT lending protocol Gondi disabled its faulty Sell & Repay smart contract after a $230K exploit — cleared safe by Blockaid and an independent auditor.
What to Know
- $230,000 worth of NFTs were stolen from Gondi's Sell & Repay smart contract on Monday at 8:12 am UTC
- 78 NFTs were drained in the exploit, confirmed by Ethereum block explorer Etherscan data
- One wallet (0x8d1…47051) lost approximately $108,000 — nearly half of total stolen funds
- Gondi has disabled the faulty contract and confirmed the platform is safe to use following review by Blockaid and an independent auditor
NFT lending protocol Gondi says its platform is secure again after a hacker exploited a smart contract vulnerability Monday morning and walked away with roughly $230,000 in stolen NFTs — but the protocol still hasn't explained how the attack actually worked.
What Happened to Gondi?
How did the Sell & Repay exploit unfold?
The attack hit Gondi at approximately 8:12 am UTC on Monday, according to Ethereum block explorer Etherscan. The target was the platform's Sell & Repay contract — a feature that lets borrowers sell escrowed NFTs and automatically repay outstanding loans in a single transaction. Convenient. Also, as it turned out, exploitable.
Gondi confirmed in an X post that 78 NFTs were stolen through this mechanism. The protocol noted that an updated version of that same contract had been deployed on February 20, though it declined to confirm how the hacker managed to exploit it despite that update. That silence is doing a lot of work right now.
Blockchain security firm Blockaid put the total damage at $230,000. The faulty contract has since been disabled — but Gondi has not yet deployed a replacement.
Our focus has shifted entirely to making affected users whole.
Who Got Hit — and Who Got Their NFTs Back?
Crypto researcher Tinoch flagged on X that a single wallet — 0x8d1…47051 — accounted for roughly $108,000 of the losses, nearly half the total stolen. That's one person taking the brunt of a platform-wide failure.
Not everything stayed stolen, though. Members of the NFT community managed to intercept and return several of the drained tokens: Doodle, Aluminum Gazer, Lil Pudgy, and Servant of the Muse NFTs all made it back to their owners. Blockaid noted the hacker had already begun offloading some of the stolen assets before those recoveries happened.
For the NFTs that couldn't be retrieved, Gondi said it has already purchased "comparable items" from the same collections and transferred them directly to affected wallet owners — with more restorations ongoing for any remaining cases.
Is Gondi Safe to Use Now?
Short answer: yes, according to two separate reviews. Blockaid and an independent auditor both examined the platform after the incident and cleared it for use. The only disabled feature is the Sell & Repay contract itself — everything else is running.
Gondi confirmed that repaying, renegotiating, and refinancing existing loans are all available. New loans are open too. Buying, selling, trading, and listing NFTs on the platform continue as normal — so the core lending functionality survived intact, just not the contract at the center of Monday's mess.
What Gondi still owes its users is an explanation. Deploying an updated contract on February 20 and then getting exploited anyway — without any public account of how — isn't a great look for a protocol that holds people's collateral.