.png){kind=logo}
NFT liquidity platform Gondi has disabled a faulty smart contract after an attacker stole about $230,000 worth of NFTs from the protocol. The exploit targeted the platform’s ‘Sell & Repay’ contract, which allows borrowers to sell escrowed NFTs and have their loans automatically repaid.
The incident occurred on Monday at about 8:12 a.m. UTC. Data from Ethereum block explorer Etherscan shows that the attacker removed 78 NFTs during the exploit. Blockchain security firm Blockaid later estimated the total losses at roughly $230,000.
Soon after the attack, Gondi disabled the affected contract and began coordinating recovery efforts with security researchers and the NFT community. The team said it now focuses on compensating affected users while continuing to review the platform’s systems.
The platform added that no other part of its protocol suffered damage during the exploit. However, the incident raises a broader question: How can decentralized lending platforms secure complex smart contracts that simultaneously manage digital assets and loans?
Gondi stated that the attacker exploited its “Sell & Repay” smart contract. This feature allows borrowers to sell escrowed NFTs and automatically repay outstanding loans on the platform. The company deployed an updated version of the contract on February 20. However, the team did not confirm how the attacker managed to exploit the function after the update.
The protocol clarified that the exploit involved only this contract. According to the team, the rest of the platform’s infrastructure continued operating normally.
After the incident, Gondi initially advised users not to interact with the protocol. Later, the company reversed that warning after security reviews confirmed that the broader system remained safe.
Blockaid and an independent auditor reviewed the platform’s smart contracts. Their assessment concluded that users could safely perform normal actions, including buying, selling, listing, trading NFTs, and managing loans.
However, the Sell & Repay contract itself remains disabled while developers prepare a permanent fix.
Meanwhile, some members of the NFT community stepped in to help recover stolen items. Blockaid reported that the attacker began selling several of the stolen NFTs soon after the exploit.
Gondi later confirmed that community members helped recover multiple assets. These included NFTs from collections such as Doodle, Aluminum Gazer, Lil Pudgy, and Servant of the Muse.
The protocol said discussions continue regarding additional assets. The team expects more recoveries to follow, including NFTs from the Taxmen collection.
In several cases, buyers purchased NFTs without realizing they originated from the exploit. Once identified, these assets were returned to their original owners when possible.
Also Read: Best NFT Marketplaces 2026: Buy, Sell & Trade NFTs
At the same time, Gondi started implementing compensation measures. The platform began using collected protocol fees to purchase comparable NFTs from similar collections.
Some incidents involve one-of-one NFTs that cannot easily be replaced. In those cases, the protocol said it continues discussions with collectors to determine alternative arrangements. Gondi operates as a decentralized and non-custodial NFT liquidity marketplace. Users pledge NFTs as collateral to obtain loans, while lenders earn interest from those transactions.
Such systems rely on complex smart contracts that coordinate collateral management, loan issuance, repayments, and asset transfers. According to the protocol, the Sell & Repay feature adds additional complexity because it bundles multiple actions into one transaction.
Gondi disabled the faulty Sell & Repay contract after a hacker stole 78 NFTs worth about $230,000. The platform said other systems stayed safe and is now working with Blockaid and the NFT community to recover assets and compensate affected users. The case shows how expensive smart contract flaws can become.
