On December 17, 2024, the crypto security community witnessed a textbook reentrancy attack that compromised 27 projects and resulted in approximately $1.8 million in losses. The target was Gempad, a multichain token launchpad that allows users to create and deploy new cryptocurrency tokens using pre-built smart contract templates. The incident serves as a stark reminder that convenience in decentralized finance often comes at the cost of security — and that a single flawed template can cascade across dozens of projects simultaneously.
At the time of the exploit, Bitcoin was trading at approximately $106,140 and Ethereum at $3,886, reflecting a market environment where DeFi activity was surging and capital was flowing into new token launches at an unprecedented pace. Gempad’s platform was designed to simplify the token creation process, offering users customizable templates for launching tokens, locking liquidity, and managing fee structures without writing smart contract code from scratch.
The Exploit Mechanics
The vulnerability was embedded in Gempad’s GempadLock contract — a liquidity token locker contract that manages LP token locking and fee collection. Specifically, the flaw existed in the collectFees function, which is responsible for collecting fees before locking LP tokens for a specified period.
The attacker deployed a malicious token with a custom transfer function. When the GempadLock contract called this token’s transfer function to collect fees, the malicious token’s transfer function immediately re-entered the collectFees function. Because the contract had not yet updated its internal state — the critical flaw — the reentrancy allowed the attacker to create a new LP lock before the first transaction completed. This is the same class of vulnerability that enabled the infamous DAO hack on Ethereum in 2016, demonstrating that fundamental smart contract security issues persist nearly a decade later.
The attacker effectively bypassed fee payment requirements entirely. Each reentrant call created a new LP lock without the corresponding fee deduction, draining the contract’s expected revenue and compromising its economic model. After extracting the funds, the attacker routed them through a mixing service to prevent the stolen assets from being traced and frozen on decentralized and centralized exchanges.
Affected Systems
The scope of the Gempad exploit was amplified by the platform’s template-based architecture. Because the flawed collectFees function existed in a shared template used by all projects on the platform, the vulnerability was not limited to a single token or project. A total of 27 projects were affected, each having deployed contracts derived from the same faulty template.
This pattern — a single template vulnerability propagating across multiple projects — represents an underappreciated systemic risk in the DeFi ecosystem. Token launchpads, NFT platforms, and yield farming protocols that rely on shared smart contract templates create a common attack surface. A single undetected flaw in the base template can compromise every project built on top of it, regardless of those projects’ individual security measures.
The affected projects spanned multiple blockchains, as Gempad operates as a multichain platform. The cross-chain nature of the exploit further complicated incident response and fund recovery efforts, as the attacker could move assets across different networks to obscure their trail.
The Mitigation Strategy
Preventing reentrancy attacks requires implementing established smart contract security patterns. The most effective approach is the Checks-Effects-Interactions pattern, which ensures that all state changes occur before any external calls are made:
The collectFees function should first verify conditions (checks), then update all internal state variables (effects), and only then interact with external contracts or tokens (interactions). By reordering operations so that the fee payment flag is set before the token transfer occurs, the reentrancy window is eliminated — any re-entering call will find that fees have already been marked as paid.
Additionally, a reentrancy guard provides a second layer of defense. This modifier uses a boolean lock variable that prevents any function from being called while it is already executing. If an attacker attempts to re-enter the function, the guard detects the lock is already engaged and reverts the transaction. Modern smart contract frameworks like OpenZeppelin provide battle-tested reentrancy guard implementations that should be applied to all functions handling external calls.
Lessons Learned
The Gempad exploit underscores several critical lessons for the DeFi community. First, template security is infrastructure security. When a platform provides shared smart contract templates, the security of that template becomes the security of every project built on it. Template providers must treat their code with the same rigor as core protocol developers — including comprehensive auditing, formal verification, and continuous monitoring.
Second, the incident highlights the danger of composability without security guarantees. DeFi’s strength — the ability to compose protocols and contracts together — becomes a liability when one component contains a vulnerability. The malicious token’s custom transfer function should not have been able to compromise the lock contract’s integrity, pointing to the need for more defensive programming practices.
Third, the attack demonstrates that classic vulnerabilities never truly disappear. Reentrancy has been a known attack vector since 2016, yet it continues to appear in new contracts. The security community must improve education and tooling to ensure that fundamental protections are always implemented, regardless of how simple or routine a contract may appear.
User Action Required
For users who interacted with Gempad or any of the 27 affected projects, immediate action is recommended. Check whether your LP tokens were locked using the GempadLock contract and monitor the contract address for any suspicious activity. If you hold tokens from affected projects, consider reaching out to project teams for updates on remediation plans. Developers building on template platforms should always verify that the underlying templates have undergone independent security audits and implement reentrancy guards on all state-changing functions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
a single flawed template taking down 27 projects for 1.8m. this is exactly why you audit before deploying, not after
reentrancy is like the oldest smart contract vulnerability and projects still get hit by it in 2024. auditors need to be mandatory
^ the problem is these launchpad templates look fine on the surface. the bug was in the lock contract, not the token itself
the lock contract got exploited, not the token itself. launchpad users would have no idea the template they picked had a vulnerable GempadLock. 27 projects destroyed by one dependency
27 projects destroyed by one template dependency. this is the supply chain problem nobody in defi wants to talk about. launchpad users trust the platform to vet templates
reentrancy has been documented since the DAO hack in 2016. 8 years later and launchpads still ship templates without guards. the issue is auditors check the token contracts but miss the auxiliary ones like lock and vesting
DAO was 2016 and the pattern is literally the same. external call before state update. its textbook at this point, no excuses