NFT liquidity marketplace Gondi has suffered a security exploit that resulted in the theft of multiple high-value NFTs worth approximately $230,000 (around 118 ETH). The incident was first flagged by blockchain security firm GoPlus Security and appears to affect users who interacted with the platform’s loan repayment features. The exploit has raised fresh concerns about smart contract vulnerabilities in NFT lending platforms, an area that has grown rapidly within the decentralized finance (DeFi) ecosystem. Early blockchain analysis suggests that attackers were able to exploit a flaw in one of Gondi’s core contracts, enabling unauthorized transfers of NFTs from affected wallets. Security researchers and community members are now closely monitoring the situation as investigations continue.
Exploit Targets Gondi Smart Contract
According to preliminary findings, the exploit targeted Gondi’s Purchase Bundler smart contract, which is used to manage bundled NFT purchases, sales, and transactions related to lending operations.
The affected contract address is:
0xc10472ac1bf9f2e58ff2c83596b4535334c90814
Attackers reportedly exploited a vulnerability that allowed them to transfer NFTs without authorization, even after certain loans associated with those assets had already been repaid.
Key Addresses Involved
- Attacker wallet: 0x8D171c74c85CD2Ec9F38143Dd5d8a7c89DF47051
- Attack contract: 0xe95e3cfC4939D6D98DBDa31AAfE950c3Ee84d73c
Major NFT Collections Affected
Blockchain transaction records show that several high-profile NFT collections were targeted during the exploit.
Notable transactions include:
Transaction 1
Hash: 0x0089f51edf53299ad357229ec4614efc57b3fcd3f395d088f33ce9a9261d2820
- Transferred 3 SuperRare NFTs from wallet zenVault.eth.
Transaction 2
Hash: 0x83bac5d4b222b97f9734637c072589da648941b8a884ce1a61324dc0449e6a06
- Drained approximately 78 NFTs across 10 collections, including:
- Art Blocks (44)
- Doodles (10)
- Bored Ape Yacht Club (2, including #1502)
- KnownOrigin
- LilPudgys
- Other smaller collections.
Shortly after the theft, the attacker converted the stolen assets into WETH and moved the funds within minutes, according to on-chain data.
Prominent Wallets Impacted
Several well-known NFT collectors and wallets were reportedly affected by the exploit, including:
- zenVault.eth
- roadweb.eth
- onchainpal.eth
- NFTLaurent
NFTLaurent later reported losing personal pieces, including a “servant token” created by artist lphaCentauriKid.
Gondi Team Confirms Investigation
A member of Gondi’s product team, BBA (X handle: @ape6743), acknowledged the incident in a post on X.
“It appears there has been an exploit on the Gondi platform that allowed some NFTs to be stolen.
The team is currently investigating the situation and will report back as soon as possible.”
He added that the issue appears to be limited to a specific use case, and stated that assets currently held in custody remain safe.
BBA also confirmed that the affected contract appears to be the Purchase Bundler contract.
As of late afternoon IST on March 9, 2026, the official @gondixyz account had not released a formal statement regarding the exploit. The account’s recent posts continue to focus on platform updates, including loan features and the launch of an Artists Directory.
Security Recommendations for Users
Following the incident, security researchers recommend that Gondi users take the following precautions:
- Revoke approvals immediately for the affected contract
0xc10472ac1bf9f2e58ff2c83596b4535334c90814using tools such as revoke.cash or Etherscan’s approval checker. - Pause all activity on the Gondi platform until an official update is released.
- Monitor wallets closely using blockchain explorers such as Etherscan or DeBank for suspicious activity.
- Regularly review and revoke unused token approvals when interacting with DeFi and NFT platforms.
Ongoing Investigation
The incident highlights the security risks associated with NFT lending protocols, particularly vulnerabilities linked to residual permissions after loan repayments. The Gondi team has stated that a full investigation report will be released once their analysis is complete.
The exploit also comes at a time when the crypto industry continues to face a series of security incidents across different platforms. In a separate case, a crypto casino platform recently announced a $500,000 bounty after a $4.3 million exploit, highlighting how attackers are increasingly targeting vulnerabilities in blockchain-based platforms.
