Ethereum-based NFT lending protocol Gondi suffered a smart contract exploit on March 9, 2026, with an attacker draining approximately $230,000 worth of NFTs from user wallets. The platform has since committed to compensating affected users in full.

---

Blockchain security firm Blockaid detected the attack through its real-time monitoring system and issued a public alert the same day. On-chain data visible on Etherscan shows that 78 NFTs were removed from wallets across roughly 40 transactions, all flowing to a wallet address that Etherscan has since labeled "GONDI Exploiter." (Blockaid's initial alert cited approximately 40 NFTs stolen, a figure that likely reflects an early partial count before the full scope was visible on-chain.) Blockaid's alert noted that the attacker had already begun selling the stolen assets before the public warning went out.

The vulnerability appears to have been rooted in an older version of Gondi's smart contracts that remained active on the platform. This type of exposure is a recurring problem in DeFi: users who granted token transfer permissions to a legacy contract at some earlier point can have their assets drained if an attacker finds a flaw in that contract, and no further user interaction is required for the theft to succeed. Gondi had not publicly released a full technical post-mortem at the time of writing, but the attack pattern is consistent with approval-based exploits seen elsewhere in the NFT sector.

A closely comparable incident occurred in December 2023, when NFT Trader lost approximately $3 million in Bored Apes and Mutant Apes after an attacker exploited a reentrancy bug in deprecated contracts. In that case, the attacker accepted a 120 ETH bounty negotiated by Yuga Labs and Boring Security DAO in exchange for returning the stolen assets.

The Gondi exploit is smaller in scale but follows the same general pattern of old contract infrastructure becoming a live attack surface.

Despite multiple rounds of security auditing across its version history, including reviews by Trail of Bits, CertiK, Halborn, Zenith, and Quantstamp, among others, Gondi's older contract layers remained in use alongside its current V3 and V3.1 releases. The protocol's documentation explicitly notes that loans originated on V1 and V2 operate independently of V3 mechanics. According to reporting from The Block and Blockaid, the exploit targeted one of those older contracts, which remained active on the platform at the time of the attack.

As of mid-2025, Gondi reported over $100 million in total value locked, $45 million in outstanding debt, and more than $400 million in annualized loan volume. The $230,000 loss represents a small fraction of that activity, but the reputational cost and the precedent for treasury-funded repayment carry broader implications.

Gondi is backed by Pantera Capital, Dragonfly, and Foundation Capital, and counts prominent NFT collectors among its user base, including Seedphrase, Gmoney, and Cozomo de' Medici.

The platform markets itself as Ethereum's leading non-custodial NFT lending protocol, offering borrowers the ability to use NFTs as collateral for WETH, USDC, or HYPE loans without forced liquidations and without reliance on price oracles. It also operates on HypeEVM in addition to Ethereum mainnet.

---

What comes next

Gondi's pledge to make affected users whole is consistent with responses from other DeFi platforms that faced similar incidents, including Moby Trade in January 2025, though the Moby case illustrates the limits of such commitments: approximately $1 million remained unrecovered despite the protocol's pledge to reimburse users in full.

Whether Gondi's commitment is met in full will depend on the protocol's available treasury reserves. Broader DeFi losses to smart contract exploits reached $3.1 billion in the first half of 2025 alone. Separately, reentrancy attacks have accounted for more than $300 million in losses since the start of 2024.

For NFT lending platforms specifically, this incident reinforces that multi-version protocol architectures require active lifecycle management, not just audits at the time of deployment. Users holding active approvals for any version of Gondi's contracts should verify and revoke permissions where they are no longer needed.

---

Regional impact: South Asia and Africa

India currently holds one of the highest NFT ownership rates in the world, at roughly 13.5 to 15.5 percent, and South Asia as a region posted an 80 percent year-over-year increase in crypto adoption between January and July 2025, with approximately $300 billion in transaction volume.

However, India's crypto regulatory compliance rate sits at only 54 percent, and its Basel AML Index score of 6.44 signals significant systemic exposure. In this environment, smart contract exploits are less likely to result in legal recourse and more likely to deepen regulatory skepticism toward DeFi lending products.

In Africa, NFT adoption is concentrated in countries like Ghana, where ownership rates reach 7.5 percent, and Kenya at 2.8 percent. The Middle East and Africa region collectively holds around 5 percent of global NFT market share, with South Africa's NFT market alone projected to reach $2.16 billion by 2030, growing at a compound annual rate of 27.7 percent according to Grand View Research.

For retail users in these markets, the barrier to protection is higher. Large institutional participants in wealthier markets often have access to on-chain monitoring services like Blockaid or contract auditing dashboards, but most individual users in emerging markets do not. Revoking stale contract approvals using tools like Revoke.cash is one concrete step available to anyone, though awareness of such tools remains limited in markets with newer user bases, where on-chain monitoring infrastructure is less established.