On March 9, 2026, the Gondi NFT lending protocol suffered a security exploit that resulted in the theft of approximately 78 non-fungible tokens (NFTs) valued at around $230,000. The vulnerability stemmed from a flaw in the platform's newly deployed "Sell & Repay" smart contract, specifically in the Purchase Bundler function, which lacked proper caller verification. This allowed an attacker to misuse existing user approvals to drain idle NFTs not involved in active loans. Gondi quickly identified the issue, disabled the affected feature, and assured users that active loan collaterals were safe. The platform has since resumed most operations and committed to full compensation for affected users. This report analyzes the incident, its technical details, impact, and lessons for the NFT lending ecosystem.
Background on Gondi
Gondi is a decentralized NFT lending platform built on Ethereum, enabling users to borrow cryptocurrency (like ETH) against their NFTs as collateral. Launched as an innovative solution for NFT liquidity, it allows borrowers to access funds without selling their assets outright. Key features include loan origination, repayment, and the "Sell & Repay" mechanism, introduced in a February 20, 2026 update, which automates selling escrowed NFTs to repay loans.
The platform operates via smart contracts, where users grant approvals (e.g., setApprovalForAll) to allow the contract to handle their NFTs during loan processes. This approval system, common in DeFi, became the exploit's entry point when combined with the bug in the new contract.
Timeline of the Incident
- February 20, 2026: Gondi deploys the updated "Sell & Repay" contract (address starting with 0xc104...), including the Purchase Bundler function for batch NFT handling.
- March 9, 2026, ~8:12 AM UTC: The exploit begins. The attacker executes around 40 transactions, draining 78 NFTs from users who had previously approved the contract. Stolen assets include SuperRare, Art Blocks, Doodles, and Beeple pieces.
- Immediate Detection: Security firms like GoPlus Security and Blockaid detect the anomaly and alert the community. Gondi pauses the affected feature.
- March 9, Afternoon: Gondi issues an official update via X (formerly Twitter), advising users to revoke approvals using tools like Revoke.cash and halt repayments until safe.
- March 10, 2026: Gondi confirms the exploit is contained, resumes most activities, and begins compensation processes after audits by Blockaid and independent reviewers.
How the Hack Occurred: Step-by-Step Breakdown
The exploit targeted an approval vulnerability in the Purchase Bundler component of the Sell & Repay contract. Unlike direct wallet hacks, this didn't require stealing private keys but exploited lingering approvals from past interactions.
User Approvals: Many users had previously approved Gondi's contracts (e.g., setApprovalForAll) for loan management. These approvals persist unless revoked and allow the contract to transfer NFTs.
Vulnerable Contract Deployment: The February update introduced the Sell & Repay feature for seamless loan closures via NFT sales. However, the Purchase Bundler function, designed for batch operations, omitted checks on the caller's identity (msg.sender).
Attacker's Preparation: The hacker scanned public blockchain data for users with active approvals to the vulnerable contract (0xc10472ac...).
Exploit Execution: Using their own wallet, the attacker called the buy function with crafted executionData containing targeted NFT details. Due to the missing verification, the contract treated the call as legitimate, transferring NFTs via existing approvals. This affected only idle NFTs (not in active loans), as active collaterals had additional locks.
Drain and Exit: In ~40 transactions, the hacker drained 78 NFTs. Example transaction: 0x83bac5d4b222b97f9734637c072589da648941b8a884ce1a61324dc0449e6a06 (visible on Etherscan).
Technical Analysis: The Bug in Code
The vulnerability was in the PurchaseBundler.sol contract (verified on Etherscan). Key buggy excerpts:
buy Function (Entry Point):
solidity
function buy(bytes[] calldata executionData) external payable nonReentrant returns (uint256[] memory loanIds) {
loanIds = _buy(executionData);
}
Issue: No msg.sender restriction – anyone could call it.
_buy Internal Logic:
solidity
function _buy(bytes[] calldata executionData) private returns (uint256[] memory) {
// ... multicall to MultiSourceLoan without initiator check ...
}
Issue: Proceeds to loan multicalls without verifying the caller's relation to the NFTs.
afterPrincipalTransfer Hook:
solidity
function _afterPrincipalTransfer(IMultiSourceLoan.Loan memory _loan, uint256 _fee, bytes calldata _executionData) private {
// ... decodes data, calls marketplace without full caller auth ...
(success,) = executionInfo.module.call{value: executionInfo.value}(executionInfo.data);
}
Issue: Executes transfers assuming validity, relying only on onlyLoanContract modifier – but the chain starts from unrestricted buy.
This "approval exploit" is common in DeFi but was amplified by the bundler's batch capabilities.
Impact of the Hack
- Financial Loss: ~$230,000 in stolen NFTs (44 Art Blocks, 10 Doodles, etc.).
- Affected Users: Those with unrevoked approvals to the contract; active loans were unaffected.
- Platform Disruption: Temporary halt on repayments and new activities; trust erosion in NFT lending.
- Broader Ecosystem: Highlighted risks of persistent approvals, prompting revoke advisories across DeFi.
Gondi's Response and Mitigation
Gondi acted swiftly:
- Disabled the Sell & Repay feature.
- Advised revoking approvals via Revoke.cash for contract 0xc10472ac....
- Conducted audits with Blockaid and independents, confirming containment.
- Promised full compensation and shifted focus to user recovery.
- Resumed operations by March 10, excluding the buggy contract.
Lessons Learned and Recommendations
This incident underscores DeFi's smart contract risks:
Approval Management: Always revoke unused approvals using tools like Revoke.cash.
Code Audits: New features need rigorous caller verification (e.g., require(msg.sender == owner)).
User Vigilance: Monitor wallet activity on Etherscan; use hardware wallets.
Platform Best Practices: Implement time-bound approvals and multi-sig for critical updates.
Community Advice: For Gondi users, revoke immediately; for NFT lenders, diversify platforms.
As NFT lending grows, incidents like this emphasize the need for robust security. Stay tuned for updates on Gondi's recovery efforts.
Top comments (0)