An **NFT theft** on the Gondi liquidity and lending platform resulted in the pilfering of 78 non-fungible tokens, valued at approximately $230,000. This incident, identified by security firm Blockaid on Thursday, March 12, 2026, was directly linked to a critical flaw in an updated version of Gondi’s “Sell & Repay” smart contract, which had been deployed just weeks prior on February 20.
The “Sell & Repay” contract was initially designed to streamline the process for borrowers, enabling them to sell NFTs held as collateral and automatically repay associated loans within a single, efficient transaction. However, the faulty logic embedded within the contract’s “Purchase Bundler” function failed to adequately verify the caller’s legitimacy, meaning it couldn’t confirm if the individual initiating the transaction was the true owner or authorized borrower of the NFT. This critical oversight created a vulnerability that an attacker exploited to trigger unauthorized transfers, draining valuable digital assets from multiple unsuspecting users.
Understanding the Gondi Exploit: Key Details
The **NFT theft** unfolded on Monday, March 9, 2026, with the first unauthorized transactions occurring around 8:12 AM UTC. Gondi, an established NFT liquidity and lending platform operating on the Ethereum network, was the target. In total, approximately 78 NFTs were stolen, carrying an estimated value of roughly $230,000. These assets were systematically drained through about 40 distinct transactions, highlighting a coordinated attack.
The stolen digital collection was diverse and high-value, including 44 Art Blocks tokens, 10 Doodles, and two coveted NFTs from Beeple’s “Spring Collection,” alongside various other significant pieces. The impact on individual users was substantial; one wallet, identified as “0x8d1… 47051,” reportedly suffered a loss of about 55 ETH, equivalent to approximately $108,000 at the time of the exploit. This single loss accounted for nearly half of the total stolen value, underscoring the severity of the incident for specific victims. All stolen assets were subsequently routed to a specific wallet, now publicly labeled as the “GONDI Exploiter.”
“The swift identification of the vulnerability and subsequent disabling of the affected contract feature by Gondi was crucial in preventing further losses, showcasing a commitment to user security amidst the crisis.”
Following the discovery, Gondi promptly disabled the compromised “Sell & Repay” contract feature. The platform has assured its user base that other core functionalities, such as buying, selling, listing, bidding, trading, refinancing existing loans, and initiating new loans, remain fully operational and secure. Users are encouraged to continue using these features with confidence.
Gondi’s Response and User Compensation Pledge
In the aftermath of the exploit, Gondi has publicly committed to compensating all affected users. The platform’s team has proactively contacted those impacted and is actively working to recover the stolen NFTs, including those that may have been acquired by “innocent buyers” unaware of their illicit origin. For any NFTs that prove unrecoverable, Gondi has pledged to utilize its protocol fees to purchase “comparable items” from the same collections, ensuring victims receive fair restitution. The broader NFT community has also played a supportive role, aiding in the recovery of several NFTs, including a Doodle, an Aluminum Gazer, a Lil Pudgy, and a Servant of the Muse.
To reinforce user trust and enhance security, Gondi has undergone thorough reviews by both Blockaid and an independent auditor. Both entities have concluded that the platform is now safe for continued use. As a precautionary measure, users who had previously authorized the vulnerable contract (0xc10472ac1bf9f2e58ff2c83596b4535334c90814) were strongly advised to revoke their permissions immediately to prevent any potential future exploitation. This incident underscores the ongoing related Fraudulents news and the critical importance of robust smart contract auditing in the rapidly evolving Web3 space.
The Gondi **NFT theft** highlights the persistent security challenges within the decentralized finance (DeFi) and NFT ecosystems. While the platform acted swiftly to contain the damage and has committed to compensating victims, it serves as a stark reminder for both platforms and users to remain vigilant against smart contract vulnerabilities. Continuous auditing and user education are paramount in safeguarding digital assets in this innovative, yet often risky, frontier.




