Skip to main content
3 min read

The NFT lending protocol Gondi has been
exploited, resulting in the theft of approximately 40 NFTs.

The NFT lending protocol Gondi has been exploited due to a contract logic flaw in its "Sell & Repay" feature.

AUTOSEC.DEVAUTOSEC.DEV
The NFT lending protocol Gondi has been exploited, resulting in the theft of approximately 40 NFTs.
  • Exploit Date: March 10, 2026
  • Target: Gondi
  • Target Overview: Gondi is a decentralized NFT lending protocol that enables users to use NFTs as collateral for loans. The compromised component is the Purchase Bundler, an auxiliary contract designed to streamline the buying, selling, and repayment workflows.
  • Total Value Lost: ~$230,000
  • Attack Vector: Logic Vulnerability

Incident Review & Technical Details

  1. Attack Path:

    • Vulnerability Identification: The attacker targeted the Sell & Repay related contracts deployed by Gondi on February 20. This contract contained an authorization validation flaw within its Purchase Bundler logic.
    • Target Selection: The attacker did not target Active Loans. Instead, they pinpointed NFTs where users had previously granted approvals to the contract but did not have an active loan outstanding at the time of the attack.
    • Unauthorized Transfer: By constructing malicious calls, the attacker bypassed standard business logic and leveraged users' historical approvals to direct-transfer NFTs out of their wallets.
    • Secondary Market Liquidation: A portion of the stolen NFTs was rapidly sold on secondary markets to unsuspecting third-party buyers, while the remainder is still held in the attacker's addresses.

  2. Scope of Impact: The exploit affected several Purchase Bundler contract addresses on both Ethereum Mainnet and HypeEVM. Impact was strictly limited to non-collateralized NFTs; assets currently locked as active collateral remained secure.

  3. Official Root Cause: The team has determined that the vulnerability stemmed from a code logic flaw within specific auxiliary contracts.

  4. Investigation & Remediation:

    • Asset Recovery: The protocol has utilized protocol fees to buy back several resold NFTs and return them to their original owners. Regarding the "1/1" rare pieces still held by the attacker, the team is pursuing recovery via negotiation and legal channels.
    • Risk Mitigation: The affected Sell & Repay functionality has been deactivated. Official guidance advises all users to immediately revoke permissions for the compromised contract addresses via revoke.cash.
    • Compensation Plan: For specific NFTs that cannot be recovered, the protocol has purchased floor-equivalent assets from the same collections to compensate affected victims.

AUTOSEC.DEV Solution: Building a 360-Degree Defense

To counter hybrid attacks involving "Web2 Breach + Web3 Monetization," AUTOSEC.DEV provides comprehensive protection from code to personnel:

  1. Team OPSEC (Operations Security) Audit & Hardening: We provide enterprise-grade security training and configuration for core Web3 team members. We assist teams in deploying security hardware and risk detection software to increase the difficulty of social engineering attacks, while auditing password management protocols and device security policies.
  2. End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.

Service Content

Reference

https://x.com/gondixyz/status/2031103171808944443