SpankChain, an Ethereum based adult entertainment platform, reported a smart contract security breach that led to a loss of 165 ETH. The company reported via a medium post that a hacker managed to get away with $38,000 worth of ETH by exploiting a bug in SpankChain’s smart contracts.
SpankChain is the name of the Ethereum based smart contract, and BOOTY is the ERC-20 token they use to let people tip in live webcam performances. Due to the hack, BOOTY tokens worth $4000 were also frozen. The hack took place on October 6 and was detected by SpankChain the next day.
“Unfortunately, as we were in the middle of investigating other smart contract bugs, we didn’t realize the hack had taken place until 7:00pm PST Sunday, at which point we took Spank.Live offline to prevent any additional funds from being deposited into the payment channels smart contract.” read the company’s blog post.
How did the SpankChain hack happen?
According to the blog post, the hack used a reentrancy attack. It is when an attacker is able to repeatedly call a function in the smart contract before the previous function calls finishes executing. This allows the attackers to repeatedly withdraw cryptocurrency before the contract realizes that there are no actual balances.
“In short, the attack capitalized on a “reentrancy” bug, much like the one exploited in The DAO,” said the blog post. “The attacker created a malicious contract masquerading as an ERC20 token, where the “transfer” function called back into the payment channel contract multiple times, draining some ETH each time.”
While most of the hacked funds belonged to SpankChain, the company has promised to reimburse all the users’ funds as soon as possible. The company assured users in the blog post, that it is their “immediate priority” to fully reimburse every user. SpankChain will reallocate $9300 worth of ETH and BOOTY tokens to the users via an Ethereum airdrop.