Explained: The GemPad Hack (December 2024)

In December 2024, GemPad – a no-code smart contract deployment platform – was the victim of a hack targeting its smart contracts across the Ethereum, BNB Chain, and Base networks. The attacker stole an estimated $1.9 million of locked assets from the protocol by exploiting a reentrancy vulnerability in the project’s smart contracts.

Inside the Attack

Reentrancy is one of the most famous smart contract vulnerabilities in existence. Vulnerable contracts transfer execution to an external smart contract without performing a full state update. For example, a withdrawal function may transfer tokens to the target address without updating the user’s balance.

This is problematic since an attacker can reenter the vulnerable function and take advantage of the invalid state (such as an unchanged balance after a successful withdrawal). Since this vulnerability is so common, reentrancy guards and coding best practices are publicly available to defend against it.

In the case of GemPad, the reentrancy vulnerability existed in the project’s collectFees function. The attacker deployed smart contracts implementing malicious functions that caused the malicious contract to be called when tokens when transferred.

Once the attacker locked assets within the GemPad contract, they were able to withdraw these assets with each iteration of the reentrancy exploit. As a result, the attacker was able to drain several times as much value from the contract as was originally locked.

Since the vulnerability existed in multiple instances of GemPad’s smart contracts, the attacker exploited it on three blockchains. Across Base, Ethereum, and BNB Chain, the attacker stole an estimated $1.9 million. The majority of these assets were then sent to a mixing service, enabling the attacker to launder the stolen crypto and prevent it from being frozen on exchanges.

Lessons Learned From the Attack

GemPad is a no-code platform for creating token contracts, enabling organizations to deploy tokens from pre-audited templates. As a result, the vulnerability in GemPad’s underlying infrastructure impacted several different projects, including BPay, Munch Protocol, AnonFi, and others.

This incident demonstrates the importance of a comprehensive audit of a project’s smart contracts and the infrastructure that they rely upon. In this case, the smart contracts deployed by the organizations using the protocol had all been audited, reducing the risk that they could contain undetected vulnerabilities. However, the underlying infrastructure had a fundamental security weakness, exposing all GemPad’s customers to attack.

When deploying code on-chain, it’s important to ensure the security of your contracts and all of their critical dependencies. For help with protecting your contracts against attack, reach out to Halborn to discuss a security audit.