GemPad Reentrancy Exploit In Lock Contract

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:05, 20 December 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/gempadreentrancyexploitinlockcontract.php}} {{Unattributed Sources}} thumb|GemPad Logo/HomepageGemPad is a launchpad application for new projects, supporting a variety of different Seed Rounds, Private Sales, Partial Raises, Presales, Fair Launches, Hyper launches and Stealth Launches. Despite audits by both Cyberscope and Solidproof, the project still contained a...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

GemPad Logo/Homepage

GemPad is a launchpad application for new projects, supporting a variety of different Seed Rounds, Private Sales, Partial Raises, Presales, Fair Launches, Hyper launches and Stealth Launches. Despite audits by both Cyberscope and Solidproof, the project still contained a reentrancy vulnerability and suffered a smart contract attack which draiend roughly $2m worth of funds. The impact was reportedly limited to 27 out of 3,000 projects who use the protocol, and the team has reportedly reached out to all affected protocols and to multiple blockchain authorities to assist with recovery.[1][2][3][4][5][6][7][8][9][10][11][12]

About GemPad

"The Launchpad for everyone who wants to launch or invest in the best projects. GemPad offers unmatched support and most affordable fees in the industry."

"We have crafted an all-in-one platform, providing users with numerous features that can be used with no coding requirements. We offer an affordable, feature-rich launchpad with different types of Whitelists, Liquidity and Token Locks, Staking Pools along with other options as well as a huge investor base and a network of partners that offer any crypto related service you need."

"GemPad stands as a premier multi-chain decentralized launchpad and crowdfund, offering a cutting-edge platform for users and project owners to initiate their projects and tokens.

Leveraging the capabilities inherent in the ETH Diamond standard (EIP-2535), GemPad delivers a highly optimized decentralized application (dApp), positioning itself as a leader within the Web3 ecosystem."

"We support Seed Rounds, Private Sales, Partial Raises, Presales, Fair Launches, Hyper launches and Stealth Launches which no other launchpad out there supports at the moment. New addition to the list has been added on the 31st of January with the Evolution Update. GemPad now also supports Liner and OTC Sales."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"The @TheGemPad protocol experienced a security breach on Ethereum, BNB, and Base networks, resulting in a loss of approximately $2.2 million."

Key Event Timeline - GemPad Reentrancy Exploit In Lock Contract
Date Event Description
December 16th, 2024 11:53:23 PM MST Attack Transaction One of the attack transactions happens on Ethereum, exploiting the re-entrancy vulnerability.
December 17th, 2024 2:29:00 AM MST OKLink Tweet OKLink posts a tweet with the first details of the attack, which has just been noticed, on Twitter/X.
December 17th, 2024 3:50:00 AM MST GemPad Announcement GemPad announces the exploit on Twitter/X and describes the situation as "fully identified and fixed".
December 17th, 2024 4:09:00 AM MST GemPad Updated Posted GemPad updates their announcement to use the term "mitigated" instead of "fixed", which implies that the problem has been addressed to a certain extent but not necessarily completely resolved. They add extra details about the safety of other locks and mentions that the GemPad team has time to implement a complete contract upgrade.
December 17th, 2024 4:11:00 AM MST Locker Temporarily Unavailable The GemPad update is modified to include details that the locker project is tempoarily unavailable until the next update. A checkmark emoticon is removed.
December 17th, 2024 5:44:00 AM MST CyversAlert Tweet CyversAlert posts a tweet online highlighting the breach, and estimating losses as close to $2m.
December 18th, 2024 4:04:00 AM MST New Update Shared GemPad posts another final update of the status of the breach, noting that "the issue in the contract was identified very quickly, ensuring no further projects on GemPad are at risk. Out of over 3,000 projects launched or locked through us, 27 were affected yesterday".

Technical Details

"The attack was made possible due to the absence of nonReentrant protection in the GempadLock contract."

"The tokens affected were from three major chains – Ethereum, Base, and BNB Smart Chain. The GempadLock smart contract was the flawed entry point, due to lack for reentrancy protection.

The exploit happened despite the recent audit by Cyberscope. GemPad was even given a high security score, though the flaw was found within one function in one smart contract."

Total Amount Lost

Most sources are around $2m USD for the loss. According to OKLink, losses are $2.2m USD. Other sources such as Rekt.news list the losses at $1.9m.

The total amount lost has been estimated at $2,200,000 USD.

Immediate Reactions

"Several projects watched helplessly as their supposedly secured assets slipped through GemPad's fingers, victims of DeFi's most notorious exploit pattern."

"BPay, Munch, Nutcoin, and others scrambled to calm their communities while GemPad raced to patch the vulnerability.

The protocol swiftly acknowledged the breach and began working with affected projects, but their stolen liquidity had already scattered across chains."

"As some of you may have noticed, an incident occurred last night where someone managed to breach our security locks.

We immediately contacted all of our partners and experts in the space to investigate and resolve the situation. The issue has now been fully identified and mitigated.

All other locks are now safe giving GemPad team time to push a complete contract upgrade.

Locker is temporarily unavailable until our next announcement.

Only a small number of projects were affected, and we can confidently assure you that this issue CAN NOT happen to any other projects launched through GemPad anymore, so all your funds, tokens and liquidity now are safe.

For all the projects that were affected, we are deeply sorry and we will contact them all and work with them.

We will provide further updates through official announcements as soon as we have more information. Until then, we ask for your patience and understanding allowing us to work on the matter.

Thank you for your trust and support."

"Our system has detected multiple suspicious transactions involving @TheGemPad!

It appears that an attacker breached @TheGemPad's security locks across multiple chains. The total loss is estimated to be close to $2M. The attacker drained digital assets from GemPad Lock and swapped them to $ETH, $BNB."

Ultimate Outcome

"Our team is still in shock from the events that unfolded yesterday. We take safety very seriously and we never imagined something like this could happen.

GemPad’s lock contracts have been thoroughly audited by two of the most reputable companies in the space, @Cyberscope_io and @SolidProof_io both confirming there were no risks on the contract.

Thanks to the swift intervention of a trusted cybersecurity company that reached out to us yesterday, the issue in the contract was identified very quickly, ensuring no further projects on GemPad are at risk. Out of over 3,000 projects launched or locked through us, 27 were affected yesterday. While any impact is deeply regrettable and should never happen, we are relieved the damages were not more extensive and proud of how fast our team acted to mitigate the issue.

Today, we will be holding an internal team meeting to finalize a plan for supporting the affected projects. Our top priority is recovering the stolen funds, and we are working closely with our partners and specialized cybersecurity firms, who are already on the case.

We deeply appreciate your understanding and support during this challenging time. Thank you for standing by us."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - GemPad - Rekt (Accessed Dec 20, 2024)
  2. @OKLink Twitter (Accessed Dec 20, 2024)
  3. @OKLink Twitter (Accessed Dec 20, 2024)
  4. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Dec 20, 2024)
  5. @CyversAlerts Twitter (Accessed Dec 20, 2024)
  6. audits/gempad/audit.pdf at main · cyberscope-io/audits · GitHub (Accessed Dec 20, 2024)
  7. Projects/2024/Gempad_LockV2/SmartContract_Audit_Solidproof_Gempad_LockV2.pdf at main · solidproof/Projects · GitHub (Accessed Dec 20, 2024)
  8. @TheGemPad Twitter (Accessed Dec 20, 2024)
  9. @TheGemPad Twitter (Accessed Dec 20, 2024)
  10. The Gem Pad token launchpad has been exploited for $2M on multiple chains (Accessed Dec 20, 2024)
  11. Introducing GemPad | GemPad - The Launchpad For You (Accessed Dec 20, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=GemPad_Reentrancy_Exploit_In_Lock_Contract&oldid=6402"