SpankChain Smart Contract Compromised, Hackers Take $38,000 in Ethereum (ETH)

Blockchain-based adult entertainment protocol SpankChain revealed the theft of 165.8 ether (ETH), worth $38,000 at the time. The move occurred after hackers exploited a smart contract bug on the protocol, according to an official release on Oct.9.

SPANK is “Spanked”

As stated, the hack took place on Oct.6 when the SpankChain team was investigating multiple bugs on the $22.4 million-valued protocol. Of the total haul, 34.99 ETH and 1271.88 BOOTY tokens – which are generated when SPANK tokens are staked–belonged to users, and SpankChain owned the remainder.

The team swiftly took their Spank.Live streaming service offline on locating the theft, and have since closed their camsite to prevent the transactions of stolen funds into the payment channel’s smart contract. Interestingly, the team found out about the hack on Oct.7, a day later than the actual theft.

For the uninitiated, SpankChain’s is a multi-token protocol which utilizes SPANK tokens for staking purposes and creating smart contracts. Upon staking, users receive BOOTY tokens in proportion to their staked amount for use in purchasing the site’s services and tipping models. The latter are redeemable for SPANK tokens in the so-called SpankBank, and nefarious access to BOOTY tokens means free money for hackers if they encashed swiftly.

The team announced a refund of stolen funds to its users and are preparing an ETH and BOOTY airdrop worth $9,300–the amount stolen from user funds – to cover losses and create a strong brand image. Airdropped tokens will be deposited to a user’s SpankBank account and made available when Spank.Live is rebooted, with the team guaranteeing the tokens credited once all systems are running again.

SpankChain explained that the delay in launching the camsite is due to security and development reasons. The team is aiming to patch all bugs in the network, update Spank.Live with a new smart contract to prevent a repeat, and fix bugs discovered during the BOOTY upgrade.

As part of the smart contract’s inbuilt security, 4,000 BOOTY tokens were “immobilized” when the theft took place. However, while the site will function as normal, the locked tokens mean SpankChain will reduce the BOOTY limit for each viewer to ten per user–allowing tips of no more than the amount. Users depositing extra ETH without knowledge of this point need not despair as well, as additional funds shall be immediately recharged in tranches of 10 BOOTYs.

Attack Explained

Explaining the attack, the team believe hackers infiltrated a known “reentrancy” bug–the same fallacy explained the infamous DAO hack. Attackers created a smart contract disguised as an ERC20 token, where the “transfer” function allowed “paid” funds to be sent into the payment channel contract multiple times.

The malicious contract opened up a payment channel and allowed hackers to enter and exit the contract without the presence of a counter-party. Unfortunately, the native “LCOpenTimeout” function caused only on-chain to be deleted, and let hackers conduct another payment into the same contract; thus creating a loop. By transferring tokens to the smart contract and back, hackers were able to gain ETH equivalent to their initial SPANK balance.

SpankChain admitted they decided against a security audit for the payment channel contract, citing expensive cost. The company hired blockchain audit firm Zeppelin for investigating a unidirectional channels library bug but faced a conundrum when the audit’s fee of $17,000 exceeded the funds held by the contract.

In conclusion, the team noted all security bugs have been identified and are currently being repaired. Also, they are making it mandatory for multiple “internal” audits for all smart contract codes published on the SpankChain protocol, and “at least” one external audit.

For those interested, SpankChain has made public the hacker’s payment channel contract, attacker’s address, internal attacker’s address, malicious contract address.