Blockaid Exposes $230K Exploit on Gondi NFT Lending Protocol

Background and Context

The Gondi NFT lending exploit originated from a vulnerability in Gondi’s PurchaseBundler smart contract. This contract is designed to simplify complex transactions by bundling NFT purchases, sales, and loan repayments into a single execution. However, attackers discovered a way to manipulate the contract’s event logic.

Specifically, the exploit involved generating SellAndRepayExecuted events with empty loan identifiers. Because of this flaw, the contract failed to properly validate whether the transaction was authorized. As a result, the attacker could transfer NFTs from wallets that had previously granted approval to the PurchaseBundler contract.

Although this represents Gondi’s first major security breach since its launch in 2023, similar approval based exploits have affected several platforms across the NFT ecosystem. For example, the well known OpenSea phishing incident in 2022 resulted in multiple blue chip NFTs being stolen after attackers abused previously granted marketplace approvals.

Furthermore, past incidents show that market reactions to such breaches can extend beyond the initial theft. For instance, the January 2026 exploit on the Flow blockchain disrupted NFT lending markets and triggered a rapid decline in prices. NFT collections connected to the ecosystem fell sharply, while trading volumes temporarily collapsed.

Details of the Incident

The attack occurred on March 9, 2026 at approximately 8:12 AM UTC through a single transaction executed on Ethereum. Blockchain data shows that the operation originated from the address 0x8d171c74c85cd2ec9f38143dd5d8a7c89df47051 and consumed more than 9.4 million gas units.

Although the transaction did not directly transfer ETH, it orchestrated the movement of at least 40 NFTs across ten different collections. Among the most notable assets were Bored Ape Yacht Club #1502, several Doodles tokens, and artworks from Art Blocks, SuperRare, and Lil Pudgys.

The attacker first granted temporary operator approvals to a burner address. Then the NFTs moved through an intermediary contract before arriving in the attacker’s main wallet. Meanwhile, the contract emitted ApprovalForAll and TransferFrom events alongside the misleading SellAndRepayExecuted signals. Consequently, the blockchain logs made the transfers appear similar to legitimate loan liquidations.

Shortly after the theft, the exploiter began listing the stolen NFTs for sale on secondary markets such as OpenSea. If buyers purchase these assets quickly, the attacker could convert the NFTs into liquid funds before investigators can intervene.

Future Implications

At the time of writing, the Gondi team has not released an official statement. However, Blockaid issued a public warning on X advising users to revoke approvals linked to the vulnerable PurchaseBundler contract. Security experts recommend using tools such as Revoke.cash to remove these permissions.

Gondi operates as a non custodial NFT lending platform, meaning users retain control of their assets rather than depositing them into centralized custody. While this model improves transparency, it also shifts risk toward users if smart contract vulnerabilities exist.