How We Caught GemPad Lock’s $1.9M Reentrancy Before It Happened

--

How We Caught GemPad Lock’s $1.9M Reentrancy Before It Happened

We built an AI-powered smart contract scanner and tested it against real exploits on Base chain. GemPad Lock was our blind test — we scanned the contract without knowing the outcome.

The scanner caught the reentrancy vulnerability that later caused a $1.9M loss.

THE VULNERABILITY

GemPad Lock lets users lock tokens and LP positions with vesting schedules. The bug was in lock creation: the contract called external token transfers (via transferFrom) before updating its internal state.

This is a textbook checks-effects-interactions violation. A malicious token contract could re-enter during the transfer callback and manipulate lock accounting — creating phantom locks or draining existing ones.

WHAT OUR SCANNER FOUND

We ran three tools plus AI review:

- Aderyn: 19 issues (2 HIGH severity)

- Slither: failed on dependencies (common with complex contracts)

- Mythril: failed on parser errors

- AI Review: identified reentrancy pattern in lock/unlock flow

Coverage was MEDIUM (17.4% of source analyzed) due to the contract’s size. Despite limited coverage, the critical vulnerability was detected.

Safety Score: 19/100.

THE FIX

One pattern change: update state before making external calls. Or add OpenZeppelin’s ReentrancyGuard to all state-changing functions.

```solidity

// Vulnerable

function createLock(…) external {

token.transferFrom(msg.sender, address(this), amount); // external call first

locks[id] = Lock(amount, …); // state update second

}

// Fixed

function createLock(…) external nonReentrant {

locks[id] = Lock(amount, …); // state update first

token.transferFrom(msg.sender, address(this), amount); // external call second

}

```

WHAT THIS MEANS

Automated screening isn’t a replacement for formal audits. But it catches known patterns fast. GemPad’s reentrancy was a known pattern — one that appears in OpenZeppelin’s security checklist, in Slither’s detector list, and in every smart contract security course.

$1.9M lost to a pattern that automated tools can detect in 3 minutes.

We’re building AXIOM to make pre-deployment screening accessible. Free first scan at axiom-security.vercel.app.