GemPad Exploit: Up to $2.2 Million Lost to Reentrancy Vulnerability, 27 Projects Impacted — A Major DeFi Security Breach

GemPad, a Decentralized Finance (DeFi) platform, and crypto token launchpad, recently confirmed being the target of an attack that compromised its liquidity lock contracts. The exploit, which targeted GemPad's locker system, is estimated to have siphoned $1.9 million to $2.2 million in liquidity locks across Ethereum, BNB Chain, and Base.

According to the official GemPad incident report published on the company's Medium blog, an attacker used a malicious fake token to exploit a hidden flaw and drain multiple project liquidity pools. Meanwhile, a separate Cyberscope incident report offers more detailed technical insights, explaining the usage of flash loan strategies and step-by-step reentrancy maneuvers.

𝗚𝗲𝗺𝗣𝗮𝗱

@TheGemPad

·Follow

Hello everyone. Our team is still in shock from the events that unfolded yesterday. We take safety very seriously and we never imagined something like this could happen. GemPad’s lock contracts have been thoroughly audited by two of the most reputable companies in the space,…

11:04 AM · Dec 18, 2024

65

Reply

Copy link

Read more on X

How the GemPad Hack Unfolded: Lock Smart Contract Exploit and Flash Loan Attack

On December 17, 2024, a critical flaw in GemPad’s LockV2 smart contract allowed an attacker to exploit the liquidity pools, underscoring the risks of smart contract vulnerabilities in DeFi projects. GemPad’s Medium post stated that multiple networks, including BSC, ETH, Base, and Polygon, were targeted using a fake malicious token.

Meanwhile, the Cyberscope incident report reveals that the attacker performed a flash loan attack to acquire initial funds, then combined Uniswap V2 and Uniswap V3 liquidity manipulations to drain liquidity provider (LP) tokens repeatedly. The malicious token’s custom transfer function triggered reentrancy within the collectFees function, allowing the attacker to swap to native tokens such as ETH or BNB.

Security firms BlockSec and Hexagate first noticed suspicious activity, prompting GemPad to take immediate measures to limit the ongoing exploit. Key partners—Certik, Cyberscope, SolidProof, Assure DeFi, Hackdra, Contract Wolf, and Octavia—helped with hack mitigation. Much of the stolen crypto was transferred to Tornado Cash, complicating fund recovery efforts.

Reentrancy Vulnerability Explained: DeFi Security Flaw in the CollectFees Function

A reentrancy vulnerability, a common security flaw in decentralized finance protocols, allows malicious smart contracts to repeatedly trigger critical functions, draining funds before balances are properly updated. Think of it like someone swiping a credit card multiple times before the bank has a chance to see that the limit is already used up.

In this specific attack, the malicious token’s transfer function interrupted the fee-collection process, causing balance checks to display more tokens than were genuinely locked. By looping through these calls, the attacker repeatedly withdrew liquidity beyond what was initially deposited. The GemPad exploit hinged on a missing reentrancy guard, allowing the creation of unauthorized locked positions and causing a major liquidity drain.

The vulnerability wasn’t detected though the vulnerable smart contract was audited by two different auditors—SolidProof and Cyberscope. SolidProof claimed the smart contract was modified after their audit was completed, while GemPad claims no changes were made to the contracts after each of the audits.

SolidProof.io Official

@SolidProof_io

·Follow

We regret to inform that Gempad was exploited!!! Following a contract modification request by another auditor one month after our audit, (our initial audit January 2024) , which deviated from best practices of maintaining frozen codebases. Which is neither an excuse nor a…

1:48 PM · Dec 21, 2024

193

Reply

Copy link

Read 49 replies

Impact on Affected Projects: Liquidity Locks Drained Across Multiple Chains

At least 27 projects experienced substantial losses due to the GemPad exploit. Notable affected projects include Munch Protocol, AnonFi, Borderless Pay (BPay), Nutcash, and FOMO Network, all of which saw major drops in their liquidity pools. These liquidity pools are essential for maintaining the stability and trustworthiness of each project, acting as a safeguard against rug pulls by ensuring that funds remain locked and secure.

GemPad reports that over 3,000 projects utilize its locker services to secure their tokens and liquidity. However, only a small fraction of these projects were impacted by the breach. The older V1 lock contract remained unaffected, preserving the majority of GemPad’s own token liquidity. Despite the exploit, GemPad emphasizes that its ongoing DeFi partnerships remain strong and intact, ensuring continued support and collaboration within the ecosystem.

Official Responses and Investigations: Blockchain Investigator, Auditing Companies, and Partners Step In

GemPad issued statements recognizing the severity of the breach and pledged full Fund Recovery efforts. A dedicated Blockchain Investigator is tracing the attacker’s movements. OKLink and TenArmor have also contributed to identifying the exploiter on Etherscan.

At this time, GemPad has not publicly released a detailed plan to address the losses faced by affected projects. The platform is currently updating its smart contract and working with Cyberscope, BlockSec, SolidProof, and other firms to ensure any new modifications pass multiple reviews before fully restoring its locker features. However, an exact timeline for these measures remains undisclosed.

Recovery Efforts for Projects: Crypto Recovery Plans and Fund Restoration

Munch Protocol has updated its community on the assistance provided by GemPad following the exploit. The recovery plan includes waiving all upfront fees, providing advisory services, pinning their presale for maximum exposure, and partnering with GemPad's network for marketing efforts. Additionally, Munch Protocol is implementing a shared compensation model where recovered liquidity is split between GemPad’s contribution and additional funds raised by project owners, ensuring a collaborative effort toward full recovery. It is reasonable to assume that similar support is being offered to other affected projects.

MUNCH Protocol

@MunchToken

·Follow

Community Update: Recovery Plan After GemPad Incident Dear Munchkins, We want to address the recent situation regarding the hack that affected our liquidity pool (LP) tokens through GemPad’s locking contract. First and foremost, we deeply regret the challenges this has caused…

3:13 PM · Dec 19, 2024

20

Reply

Copy link

Read 12 replies

However, it appears that GemPad cannot take full accountability for the incident and refund the entire amount stolen back to the projects, as the company did not set aside funds specifically for such incidents. This limitation complicates the fund recovery efforts and underscores the challenges in fully compensating all affected parties.

Ongoing investigations focus on tracking stolen assets; GemPad has not announced a specific timeline but emphasizes determination in its attempt to retrieve funds. New or revised locker contracts will only resume after thorough smart contract audits by Assure DeFi and others.

Lessons and Next Steps: Improving DeFi Security and Preventing Future Exploits

The GemPad exploit underscores the critical importance of accountability within the Decentralized Finance (DeFi) ecosystem. GemPad must transparently communicate why it cannot fully refund the affected projects, even over an extended period, as it did not allocate separate funds to cover such incidents. This shortfall raises serious concerns about the platform's preparedness to handle security breaches and protect the interests of the projects that trusted them.

Furthermore, auditing firms Cyberscope and SolidProof need to address why they failed to identify the reentrancy vulnerability in GemPad’s smart contract despite conducting thorough audits. Questions remain about their accountability, the measures they will implement to prevent similar oversights, and whether their auditing processes require further enhancement. This incident may also prompt the community to reconsider their reliance on audit firms solely based on cost-effectiveness, emphasizing the need for comprehensive security assurances.

On a positive note, the swift and collective response from numerous audit and security companies, including BlockSec, Hexagate, Certik, and others, is reassuring. Their support during the GemPad incident highlights the presence of dedicated professionals in the industry committed to enhancing DeFi security. This collaborative spirit is a promising sign for the future, fostering a more secure and resilient DeFi landscape through continuous improvement and community vigilance.