SpankChain, an Ethereum-based adult entertainment platform, lost around $38,000 after it was hit by a smart contract security breach. The incident was reported on Medium. In a blog post, the platform said that the hack took place on October 6 and was detected by SpankChain a day later.
The attackers managed to steal 165.38 Ethereum [ETH], which is worth around $38,000. Moreover, the security breach immobilized $4,000 worth of the SpankChain’s internal token BOOTY.
Most of the lost or immobilized funds were owned by SpankChain itself, but the platform asserted that reimbursing clients was an “immediate priority” for them. “We are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users,” the platform announced in the post.
The platform has currently halted its camsite Spank.Live to prevent users from depositing through the payment channel smart contract. The company plans to keep the camsite offline for a few days, though it did not specify when Spank.Live would be back online.
While the camsite is down, the platform will reboot the website to reset the payment channel smart contract, reset the native token distribution, carry out airdrop reimbursements, and eliminate the security weakness. “Funds will be sent directly to users’ SpankPay accounts and will be available as soon as we reboot Spank.Live,” the post mentioned.
The attack has been linked to the “reentrancy” bug, which is much like the one exploited in the DAO hack. The attacker reportedly created a malicious contract mimicking an ERC20 token, the “transfer” function called back into the payment channel contract multiple times, draining ETH each time.
Though smart contracts are widely known to be difficult to hack, they are relatively new because of which they are prone to bugs. These bugs can, in turn, be exploited by scammers.
The platform admitted that it skipped conducting a security audit for the payment channel contract. “We actually had Zeppelin conduct an audit which cost $17,000 for the previous unidirectional payment channels library. We considered that quite expensive, given that the most funds ever held by that contract only ever reached $17,000 in total,” the company said.
However, the team said that the audit would have been worth it anyway and that this would not happen again. “We will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” SpankChain asserted in its post.
Image via Shutterstock
Join our Telegram group