Gondi's $230K NFT Lending Exploit: How a Missing Caller Check Drained 78 Blue-Chip NFTs

A single missing authorization check. Seventeen days undetected. Seventy-eight blue-chip NFTs — including Art Blocks, Doodles, and Beeple pieces — siphoned from wallets that never initiated a transaction. The Gondi exploit of March 9, 2026 is a masterclass in how "convenience features" can become attack surfaces, and why the NFT lending sector faces security challenges that fungible-token DeFi never had to confront.

What Is Gondi and Why It Matters

Gondi is a decentralized peer-to-peer NFT lending protocol that lets users borrow WETH, USDC, or HYPE against their NFT collateral — no oracles, no forced liquidations, and pro-rata interest. With over $100 million in total value locked, $45 million in outstanding debt, and annualized loan volume above $400 million across 150+ supported collections, Gondi had established itself as one of the largest NFT liquidity marketplaces in the space.

The protocol introduced innovations like instant partial refinancing, continuous underwriting, and multi-tranche lending. One of its convenience features, "Sell & Repay," allowed borrowers to sell escrowed NFTs and automatically repay loans in a single bundled transaction — reducing friction and gas costs.

It was this convenience feature that became the attack vector.

Anatomy of the Exploit

The Vulnerable Contract

On February 20, 2026, Gondi deployed an updated version of its Sell & Repay contract. The new version included a "Purchase Bundler" function designed for batch operations. But the function contained a critical flaw: it did not properly verify whether the caller (msg.sender) was the legitimate owner or borrower of the NFTs being transacted.

How the Attack Unfolded

On March 9 — seventeen days after deployment — an attacker discovered and exploited this gap:

1. Reconnaissance: The attacker scanned public blockchain data for wallets that had granted active token approvals to the vulnerable Gondi contract.
2. Crafted Calls: Using their own wallet, the attacker called the Purchase Bundler function with fabricated executionData containing the targeted NFT details.
3. Bypassed Authorization: Because the contract never checked whether the caller was the rightful owner, it treated each call as legitimate.
4. Drained via Approvals: The contract used existing user approvals to transfer NFTs from victims' wallets — without the victims ever signing a new transaction.

Across approximately 40 transactions, the attacker drained 78 NFTs to an address now labeled "GONDI Exploiter" on Etherscan.

What Was Stolen

The haul included some of the most recognizable collections in the NFT ecosystem:

• 44 Art Blocks tokens — generative art pieces from one of Ethereum's most prestigious collections
• 10 Doodles — blue-chip PFP collection with strong community backing
• 2 Beeple "Spring Collection" pieces — from the artist whose $69 million Christie's sale catalyzed the NFT boom
• 22+ additional NFTs from SuperRare and other high-value collections

NFT collector tinoch estimated that a single victim (wallet 0x8d1...47051) lost approximately 55 ETH — roughly $108,000 — accounting for nearly half the total exploit value.

Why Existing Audits Missed It

The vulnerability was not in Gondi's core lending logic, which had been audited and battle-tested. It lived in a peripheral "convenience" function — the Purchase Bundler — that was part of a newly deployed contract. Standard audit scopes typically focus on core protocol mechanics: collateral handling, liquidation logic, interest calculations. Peripheral features added after initial deployment often receive less scrutiny, creating blind spots that attackers specifically target.

This pattern is disturbingly common. According to security data from 2024-2025, access control vulnerabilities accounted for $953.2 million in documented damages. Business logic flaws — exactly the category Gondi's bug falls into — have risen to the number-two position in OWASP's smart contract vulnerability rankings, reflecting DeFi's increasing complexity.

Gondi's Response: A Case Study in Crisis Management

Gondi's post-exploit response was notably swift and transparent, setting a benchmark for how protocols should handle security incidents.

Immediate Actions

• Identified and disabled the vulnerable Sell & Repay contract within hours
• Confirmed that active loan collaterals were unaffected — only idle NFTs (those not currently in active loans) were vulnerable
• Resumed most platform operations the following day after emergency audits by Blockaid and independent reviewers

Restitution Strategy

Rather than simply offering ETH compensation, Gondi took a more nuanced approach:

• Direct recovery: The team tracked stolen NFTs across secondary markets, identifying buyers who were seemingly unaware the assets originated from the exploit. Those items are being returned to original owners.
• Comparable replacement: For NFTs that could not be recovered directly, Gondi began using protocol fees to purchase "comparable items" from the same collections. As the team stated: "While not the exact same piece, we believe this is a fair and meaningful resolution."
• Individual coordination: The team reached out directly to every user who had interacted with the vulnerable contract, regardless of whether they were affected.

This approach recognizes something unique about NFTs: unlike fungible tokens, each piece has distinct characteristics. Returning "equivalent value" in ETH would not make a collector whole if they lost a specific Art Blocks generative piece or a particular Doodle.

Lessons for the NFT Lending Ecosystem

1. Approval Hygiene Is Non-Negotiable

The exploit was only possible because users had active token approvals to the vulnerable contract. This is a systemic issue across DeFi and NFT platforms: users routinely grant unlimited approvals to smart contracts and never revoke them.

For users: Regularly audit and revoke unnecessary token approvals using tools like Revoke.cash or Etherscan's token approval checker. Limit approvals to the minimum necessary amount and duration.

2. Peripheral Features Need Core-Level Audits

The Sell & Repay Purchase Bundler was a convenience feature, not core lending logic. But it had access to the same user approvals and contract permissions. Any function that can move user assets — regardless of how "auxiliary" it seems — must receive the same audit rigor as the protocol's primary functions.

3. Time-Delayed Deployment Monitoring

The vulnerable contract sat live for 17 days before exploitation. Protocols should implement:

• Post-deployment monitoring with anomaly detection on new contracts
• Staged rollouts where new features launch with transaction limits before full deployment
• Bug bounty amplification during the first 30 days after any contract upgrade

4. NFT Lending Has Unique Security Challenges

Unlike fungible token DeFi, where assets are interchangeable, NFT lending protocols must contend with:

• Approval-based attack vectors that can drain specific, irreplaceable assets
• Complex collateral management across hundreds of collections with different standards
• Recovery complexity when stolen assets enter secondary markets and innocent buyers are involved
• Valuation ambiguity that makes "making whole" difficult when comparable replacements may not exist

With 78+ NFT lending and rental platforms now operating, the industry needs shared security standards and coordinated vulnerability disclosure frameworks.

The Broader Smart Contract Security Landscape

Gondi's exploit did not happen in a vacuum. The first half of 2025 alone saw $3.1 billion lost to smart contract exploits. Attackers now exploit vulnerabilities within an average of five days of discovery, down from 32 days just two years ago — meaning the window for detection and patching is shrinking fast.

Comprehensive smart contract audits in 2025 typically cost between $25,000 and $150,000. Static analysis tools like MythX and Slither can detect roughly 92% of known vulnerability patterns, but they still miss edge-case logic issues — precisely the kind of business logic flaw that allowed the Gondi exploit.

The takeaway is clear: audits are necessary but not sufficient. Protocols need layered security including formal verification, continuous monitoring, staged deployments, and active bug bounty programs.

Looking Ahead

The Gondi incident will likely accelerate several trends in the NFT lending space:

• Insurance products specifically designed for NFT collateral and lending protocols
• Standardized security frameworks for NFT-specific smart contract interactions
• On-chain approval management tools built directly into lending protocol interfaces
• Real-time monitoring dashboards that flag unusual approval-based transfers

Gondi's transparent response and commitment to full restitution may actually strengthen user trust in the long run. But the exploit serves as a stark reminder: in smart contract security, there are no "minor" features. Every function that touches user assets is a potential attack surface, and the cost of a missing require statement can be measured in irreplaceable digital art.

---

Building on blockchain infrastructure requires security at every layer. BlockEden.xyz provides enterprise-grade RPC and API services with built-in reliability for developers building across Ethereum, Sui, Aptos, and 20+ chains. Explore our API marketplace to build on foundations designed to last.