How Gempad Secured Their Multi-Chain Token Locker with a Comprehensive Assure DeFi Audit
Case Studies
Gempad operates a sophisticated token locking platform that enables projects to lock liquidity provider (LP) tokens and standard tokens with flexible vesting schedules across multiple blockchain networks. The platform serves as critical infrastructure for DeFi projects seeking to demonstrate commitment to their communities through token locks and vesting mechanisms.
The GemPadLock contract provides essential functionality including normal locks with fixed unlock dates, vesting locks with customizable release schedules, batch locking capabilities for multiple recipients, and NFT-gated access controls. Given the high-value nature of locked assets and the platform's role in establishing project credibility, Gempad engaged Assure DeFi to conduct a comprehensive security assessment before deployment.
The audit was conducted in December 2024 as an Advanced Edition assessment, representing Assure DeFi's most thorough audit tier with extensive manual review and attack vector testing.
The security assessment focused on the GemPadLock smart contract written in Solidity. The audit covered two versions:
Assure DeFi's methodology combined static analysis tools with extensive manual code review, focusing on:
The audit team developed custom test cases covering all contract logic paths, executing over 100 individual test scenarios to validate security across normal operations, edge cases, and attack vectors.
The Assure DeFi audit identified 9 total findings across the GemPadLock contract, with no high-severity vulnerabilities discovered. The severity breakdown demonstrates a generally well-architected codebase with specific areas requiring hardening:
The absence of high-severity vulnerabilities indicates strong foundational security practices. The medium-severity findings primarily related to economic controls (fee caps), gas optimization for batch operations, and upgrade mechanism security—all critical areas for a production token locker platform.
Gempad's development team demonstrated excellent responsiveness throughout the audit process, implementing fixes for all actionable findings and providing clear documentation for acknowledged design decisions.
M-01: Unrestricted Fee Setting Could Enable Excessive Charges
The updateFee() function initially lacked maximum caps on fee parameters, potentially allowing the contract owner to set arbitrarily high fees for project creation, LP token locks, and normal token locks. This presented a trust issue where users could face unexpected or exploitative costs.
Resolution: The team implemented a maximum fee cap of 1 ETH across all fee parameters, providing users with predictable cost ceilings while maintaining operational flexibility for the platform.
M-02: Gas Optimization for Batch Lock Operations
The multipleLock() and multipleVestingLock() functions process arrays of owners and amounts without length restrictions. Excessively large arrays could cause out-of-gas errors, potentially locking user funds in failed transactions or enabling denial-of-service attacks.
Resolution: A maximum array length of 200 addresses was implemented, balancing batch efficiency with gas safety. This limit ensures transactions remain executable while still supporting substantial batch operations.
M-03: UUPS Upgrade Mechanism Security Gap
The contract inherited from UUPSUpgradeable without implementing the required _authorizeUpgrade() function, potentially exposing the contract to unauthorized upgrade attempts depending on the parent contract structure.
Resolution: After review, the team determined UUPS upgradeability was not required for the contract's design. The entire UUPS library was removed, eliminating the attack surface and simplifying the contract architecture.
L-02: Excess ETH Fee Handling
When users paid fees via ETH, any amount sent beyond the required fee was not refunded, potentially causing accidental loss of funds from overpayment.
Resolution: Refund logic was implemented to automatically return excess ETH to users, improving user experience and preventing accidental fund loss.
L-06: Deflationary Token Support
The initial implementation used exact balance checking that would revert when locking deflationary or fee-on-transfer tokens, limiting platform compatibility with a significant token category.
Resolution: The _safeTransferFromEnsureExactAmount() function was replaced with _safeTransferFrom() that calculates actual balance differences, enabling support for deflationary tokens while maintaining security.
Assure DeFi conducted an Advanced Edition audit combining automated analysis with extensive manual security review. The assessment methodology included:
Static Analysis: Automated scanning for common vulnerability patterns including reentrancy, integer overflow/underflow, unchecked external calls, and access control issues.
Manual Code Review: Line-by-line examination of contract logic by senior security auditors, focusing on business logic flaws, economic attack vectors, and edge cases that automated tools cannot detect.
Attack Vector Testing: Systematic testing of known attack patterns including:
Custom Test Suite: The audit team developed comprehensive test cases covering normal operations, edge cases, and malicious scenarios. Testing included validation of lock creation, vesting schedules, unlock mechanisms, fee collection, NFT gating, and administrative functions across multiple user roles and token types.
All tests were executed in isolated environments simulating mainnet conditions to ensure findings reflected real-world deployment scenarios.
Gempad's development team demonstrated exceptional commitment to security throughout the audit process. All three medium-severity findings were addressed with comprehensive fixes:
Of the six low-severity findings, four received complete fixes including zero-address validation, excess ETH refunds, receive function implementation, and deflationary token support. One finding regarding project ownership auto-assignment was acknowledged as intentional design and will be clearly documented in the project's technical documentation.
The audit process followed this timeline:
The final audit resulted in a 90/100 security score and PASS status, confirming the GemPadLock contract meets Assure DeFi's security standards for production deployment. The contract is now well-secured against known attack vectors and ready to safely manage locked tokens across multiple blockchain networks.
Gempad's successful audit demonstrates the value of comprehensive security assessment before deploying high-value DeFi infrastructure. Whether you're building token lockers, DEX protocols, lending platforms, or NFT marketplaces, Assure DeFi's Advanced Edition audits provide the thorough security review your project needs.
Ready to secure your smart contracts? View the full Gempad audit dashboard or contact Assure DeFi to start your security audit today.
This case study is based on publicly available audit reports from the Gempad security assessment completed in December 2024. All findings discussed have been resolved or acknowledged by the development team. This content is for informational purposes only and does not constitute security advice, financial advice, or investment recommendations. Users should conduct their own due diligence before interacting with any smart contract platform.