Crypto Security & Integrity

Gondi Disables Smart Contract After $230,000 NFT Exploit

Marcel Fuhrmann
/ 4 min read
Server with broken chain link, digital vault with shield emblem, document with checkmark, and stacked coins on blue background

Gondi Disables Sell & Repay Contract After $230,000 NFT Exploit – Platform Says Core Functions Remain Secure

Key Takeaways

  • NFT lending protocol Gondi disabled its Sell & Repay smart contract after a $230,000 exploit.
  • Blockchain data shows 78 NFTs were stolen at approximately 8:12 am UTC.
  • Gondi states that no other part of the platform was affected.
  • The company is compensating affected users, including purchasing comparable NFTs.
  • Blockaid and an independent auditor reviewed the platform and deemed it safe to use.

Exploit Targeted Sell & Repay Smart Contract

Gondi, an NFT lending protocol, reported that a hacker exploited its Sell & Repay smart contract, resulting in the theft of approximately $230,000 worth of nonfungible tokens. According to the company, the affected contract allows borrowers to sell escrowed NFTs and automatically repay outstanding loans on the platform.

The incident occurred at around 8:12 am UTC, when 78 NFTs were transferred out of the protocol. Data from Ethereum block explorer Etherscan confirms the timing and number of assets involved. Blockchain security platform Blockaid estimated the total damage at $230,000.

Gondi stated that it has since disabled the faulty contract. The company also clarified that no other part of its infrastructure was impacted by the exploit.

Updated Contract Had Been Deployed in February

Gondi noted that an updated version of the Sell & Repay contract had been deployed on Feb. 20. The company did not provide technical details on how the attacker was able to exploit the contract following that update.

At the time of reporting, a new fix for the Sell & Repay contract had not yet been deployed. The vulnerable component remains disabled while the company works on remediation.

Despite the incident, Gondi stated that users can continue to engage with other core functions of the platform. These include repaying, renegotiating, and refinancing loans, starting new loans, and buying, selling, trading, and listing NFTs.

Security Review Conducted by Blockaid and Independent Auditor

Following the exploit, Gondi said that both Blockaid and an independent auditor reviewed the platform. According to the company, the review concluded that the system is safe to use in its current state, excluding the disabled contract.

The company emphasized that its focus has shifted to compensating affected users. This includes direct engagement with NFT owners who suffered losses during the exploit.

Blockchain security firms such as Blockaid typically analyze smart contract behavior and transaction patterns to identify vulnerabilities or malicious activity. In this case, Blockaid not only estimated the financial damage but also tracked the movement of stolen NFTs.

Community Efforts Lead to Partial NFT Recovery

Blockaid reported that the attacker had begun selling some of the stolen NFTs. However, members of the NFT community were able to recover and return several assets. Gondi identified recovered items including Doodle, Aluminum Gazer, Lil Pudgy, and Servant of the Muse NFTs.

The company added that discussions are ongoing regarding additional items, including NFTs from the Taxmen collection.

Crypto researcher Tinoch reported that one user, identified by the wallet address 0x8d1…47051, lost approximately $108,000 worth of NFTs. This amount represents nearly half of the total value stolen in the exploit.

Compensation Through Comparable NFT Purchases

Gondi stated that it has already purchased comparable items from the same NFT collections as those stolen and transferred them to affected owners. The company acknowledged that these replacements are not the exact same tokens but described them as a fair and meaningful resolution.

The process of compensation is ongoing. Gondi said it will continue acquiring comparable NFTs for any remaining cases and coordinate directly with each impacted user.

This approach reflects the structure of NFT markets, where individual tokens within the same collection can vary in traits and value. By purchasing items from the same collections, Gondi aims to restore users to a comparable position prior to the exploit.

Operational Continuity After the Incident

According to Gondi, activities unrelated to the disabled Sell & Repay contract remain operational. Users can continue to manage loans and trade NFTs on the platform.

The incident highlights the operational risks associated with smart contract based lending mechanisms. In NFT lending models, escrowed assets are typically locked in contracts that automate collateral management and repayment processes. A vulnerability in one such contract can expose user assets if exploited.

In this case, Gondi maintains that the vulnerability was isolated and that broader platform functionality was not compromised.

Our Assessment

The exploit resulted in the theft of 78 NFTs valued at approximately $230,000 and was limited to Gondi’s Sell & Repay smart contract. The company disabled the affected contract, conducted a review with Blockaid and an independent auditor, and began compensating users through the purchase of comparable NFTs. Other platform functions remain active while remediation of the contract continues.

Related News

Server rack with yellow warning triangle, glitching monitor displaying alert icon, cracked padlock over a globe background.
Crypto

CoW Swap DAO Warns Users to Avoid Site After Domain Hijacking

The DAO behind CoW Swap has warned users not to visit its website following a domain hijacking and reported frontend exploit.

Marcel Fuhrmann
A digital shield with a lock icon overlays a blue background filled with cryptocurrency symbols and binary code.
Crypto

US Treasury Expands Cybersecurity Program to Crypto Firms

The US Treasury has expanded its cybersecurity threat intelligence program to include digital asset companies. The move follows rising losses from DeFi hacks and recent high profile exploits.

Marcel Fuhrmann
Bitcoin Depot ATM with a digital lock overlay and red warning symbols on a dark background.
Crypto

Bitcoin Depot ATM Operator Reports $3.6M BTC Stolen in Hack

A Bitcoin Depot ATM operator said $3.6 million in Bitcoin was stolen in a corporate hack. The incident was reported on April 8, 2026.

Marcel Fuhrmann