The adult entertainment blockchain platform SpankChain fell victim to a hack that cost the startup 165.35 ETH, worth $38,000 at the time, and froze around $4,000 worth of BOOTY tokens.
SpankChain Smart Contract Hacked
SpankChain announced in a blog post that its smart contract had been hacked over the weekend by an unknown cybercriminal. The startup found the breach on Sunday evening and immediately took Spank.Live offline to prevent any further financial damage to the startup and its users.
The assailant managed to steal around $38,000 worth of ETH and froze about $4,000 worth of BOOTY tokens through his actions.
Out of the around $40,000 stolen/frozen during the cyber attack, approximately $9,300 worth of tokens belong to users. SpankChain said that it would reimburse users their lost funds through an ETH airdrop directly to their SpankChain account as soon as Spank.Live will go back online. The reboot is expected for later this week, and users do not need to do anything but wait for their account to be refilled with ETH.
How Was the Theft Made Possible?
The unknown hacker managed to exploit a “reentrancy” bug, similar to the one in the DAO hack of June 2016, by creating a malicious smart contract mimicking an ERC20 token that was able to drain ETH several times as its “transfer” function called back into the payment channel, according to SpankChain.
The hacker’s contract was initially called createChannel, which they used to set up the channel and then called LCOpenTimeout repeatedly via reentrancy. LCOpenTimeout exists to enable users to exit payment channels rapidly that have not been joined by the counter-party yet.
The LCOpenTimeout transfers a user his or her initial deposited ETH and token balance, which were both initially set in the createChannel function. The LCOpenTimeout function solely erases the on-chain channel data after the digital token transfer function, which enabled the hacker’s malicious smart contract to call LCOpenTimeout in a look to repeatedly send the same amount of ETH the cybercriminal held in their channel balance.
While SpankChain had a smart contract security audit conducted for its previous unidirectional payment channels library, the company decided not to audit its existing payment channel due to the high costs quoted for such a review and the continuing development of its platform, which would require further costly audits down the road.
However, SpankChan has promised to step up its security practices going forward to prevent another hack like this from affecting its platform and its users.
“As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” SpankChain said in its statement.