Gondi, the NFT lending protocol built on Ethereum, got hit by an exploit on Monday that drained roughly $230,000 worth of nonfungible tokens from the platform. The attack targeted a specific smart contract and left the broader platform intact. Still, it was a rough morning for anyone with NFTs parked inside the protocol.
What Exactly Happened?
The hacker zeroed in on Gondi’s “Sell & Repay” contract. This feature lets borrowers sell NFTs held in escrow and automatically clear their outstanding loans in one move. It’s a handy tool, but on this occasion it became the entry point for an attacker.
According to data from Ethereum block explorer Etherscan, 78 NFTs were drained in a single transaction at around 8:12 AM UTC. Blockchain security platform Blockaid confirmed the loss at $230,000. That’s a significant hit, even by the standards of an industry that has seen its share of eight-figure disasters.
One user bore the brunt of it. Crypto researcher Tinoch flagged on X that a wallet address ending in “47051” lost approximately $108,000 worth of assets. That’s nearly half the total haul from a single victim, which is a brutal outcome.
Also Read: What Are NFTs And What Are Their Real Life Use Cases?
How Did Gondi Respond?
The team moved quickly. Gondi disabled the faulty Sell & Repay contract and confirmed no other part of the platform was affected. Users could still buy, sell, trade, and list NFTs and manage their loans without any issue.
The team brought in Blockaid and an independent auditor to review the platform. Both cleared it as safe to use. A fresh version of the affected contract had actually been deployed on February 20, though the platform hasn’t confirmed exactly how the hacker exploited it. That part of the picture is still unclear.
Making Victims Whole
Gondi said its focus has shifted entirely to making affected users whole. The team started buying comparable NFTs from the same collections and transferring them directly to the original owners. They were upfront that these aren’t the exact same pieces, but they called it a fair resolution.
That’s a notable move. A lot of protocols in this situation drag their feet or disappear entirely. The fact that the team was proactively compensating users within hours says something about how seriously they’re taking this.
Also Read: Are NFTs Coming Back in 2026? 120% NFT Buy Surge Says So
The NFT Community Stepped Up
While the attacker started offloading stolen assets, members of the NFT community managed to intercept and return several pieces. Doodle, Aluminum Gazer, Lil Pudgy, and Servant of the Muse NFTs were recovered and sent back to their rightful owners.
The Gondi team said they’re still in active conversations about recovering more items, including Taxmen NFTs. The community response here was genuinely impressive. It doesn’t always go this way.
What This Tells Us About NFT Lending Risks
This incident is a reminder of how concentrated smart contract risk can get inside lending platforms. Users deposit high-value NFTs as collateral, and if one contract has a flaw, the losses can be immediate and significant.
The Gondi exploit wasn’t catastrophic in the grand scheme of DeFi hacks. But $230K in NFTs is real money, and the fact that a newly deployed contract contained a vulnerability shows how difficult it is to get smart contract security right, even when you’re actively trying to improve it.
For users across any NFT lending platform, this is a good moment to review which contracts hold your assets and whether you have exposure to features you’re not actively using.
Also Read: How NFTs Will Reshape The Future Of Crypto In 2026
What was exploited in the Gondi hack?
The attacker exploited the Sell & Repay smart contract, a feature that lets borrowers sell escrowed NFTs and repay loans in one transaction.
Is Gondi safe to use now?
Yes. The faulty contract has been disabled. Blockaid and an independent auditor reviewed the platform and confirmed it is safe to use.
Will affected users get their NFTs back?
The team is compensating users with comparable NFTs from the same collections. Some stolen pieces have already been recovered by community members and returned to their owners.
How much was stolen in total?
Blockaid estimated the total loss at $230,000. A total of 78 NFTs were stolen in a single transaction on March 10, 2026.
Get the news in a Jist. Follow Cryptojist on X and Telegram for real-time updates!
Disclaimer:
Look, we’re just journalists reporting the news here, not your financial advisors. Everything you read above is for information purposes only. Crypto is wild, unpredictable, and can absolutely wreck your savings if you’re not careful. Never invest money you can’t afford to lose. Seriously, we mean it. Do your own research, talk to actual licensed financial professionals, and remember that past performance means absolutely nothing when it comes to future results. The crypto market can turn on a dime, and what’s hot today might be toast tomorrow. We’re not responsible for your investment decisions, good or bad. Trade smart, stay safe, and don’t bet the farm on anything you read on the internet, including this article.
Bitcoin 
Tether 
BNB 