Gondi NFT Platform Exploited for $230K on March 9, 2026; Team Pledges Refunds
On March 9, 2026, Ethereum NFT lending protocol Gondi suffered a $230,000 smart contract exploit targeting its Purchase Bundler, prompting the team to freeze operations and pledge user refunds.
- 01The exploit was limited to 'Purchase Bundler' contracts on Ethereum and HypeEvm, leaving active loan collateral untouched as of March 09, 2026.
- 02The attacker successfully exfiltrated 40 NFTs and began selling them on secondary markets within hours of the March 09, 2026 exploit.
- 03Gondi's emergency response included a directive for users to submit Discord tickets if their loans were nearing expiration to avoid automated liquidations.
Key Findings
- The exploit was limited to 'Purchase Bundler' contracts on Ethereum and HypeEvm, leaving active loan collateral untouched as of March 09, 2026.
- The attacker successfully exfiltrated 40 NFTs and began selling them on secondary markets within hours of the March 09, 2026 exploit.
- Gondi's emergency response included a directive for users to submit Discord tickets if their loans were nearing expiration to avoid automated liquidations.
What Happened
On March 09, 2026, the Ethereum-based NFT lending protocol Gondi suffered a targeted smart contract exploit, resulting in the theft of approximately $230,000 in digital assets. According to The Block, the attacker successfully exfiltrated 40 NFTs and immediately began liquidating them on secondary markets.
The broader cryptocurrency market remained largely unaffected by the localized exploit, though as of March 09, 2026, Bitcoin (BTC) was trading at approximately $66,036.16, representing a 24-hour decrease of -1.84%.
Gondi's development team officially advised users to revoke contract approvals via Revoke.cash and instructed borrowers not to repay active loans until the platform is confirmed secure.
Background
The vulnerability specifically targeted Gondi's "Purchase Bundler" contracts, notably those beginning with the Ethereum address prefix 0xc104, as well as HypeEvm-related contracts. Foresight News reports that the exploit was limited to NFTs not currently held as collateral in active loans. As of March 09, 2026, all active loan collateral remains secure within the protocol's vaults.
The Bull Case
Despite the breach, security firm Blockaid identified the exploit early through its automated detection systems, which potentially limited the scope of the damage to the $230,000 figure recorded on March 09, 2026. Furthermore, the Gondi team has proactively committed to making affected users whole. By providing clear, immediate mitigation steps—such as pausing repayments and establishing a Discord ticketing system for expiring loans—the protocol aims to prevent secondary liquidations and protect its user base.
The Bear Case
Security researchers remain highly cautious regarding the implications of the attack vector. Marius Bogdan Dinu of Crypto Adventure notes that NFT lending protocols are "unusually sensitive" to timing. Dinu emphasizes that the rapid sale of stolen non-fungible tokens makes asset recovery significantly harder compared to fungible token exploits. Additionally, analysts at ChainThink and GoPlus Security highlighted that the breach stemmed from an "authorization vulnerability," underscoring persistent and systemic risks in smart contract permission structures across the decentralized finance sector.
What to Watch
Moving forward, users must monitor their wallet permissions and utilize Revoke.cash to clear approvals for the compromised 0xc104 contracts. Borrowers with loans nearing expiration should submit support tickets directly to Gondi to avoid automated liquidations during the ongoing platform freeze. The success of Gondi's reimbursement plan and the potential recovery of the 40 stolen NFTs from secondary marketplaces will be critical metrics for assessing the protocol's long-term viability.