The hack, which purportedly took place Oct. 6, was detected by SpankChain a day after, and was announced today in a post entitled “We Got Spanked: What We Know So Far.”
Anonymous attackers managed to steal 165.38 Ethereum (ETH) or around $38,000 from the platform’s payment channel smart contract. Additionally, the security breach caused the immobilization of $4,000 worth of the SpankChain’s internal token called BOOTY.
While most of lost or immobilized funds belong to SpankChain itself, the platform claimed that client reimbursements are of “immediate priority.” The company will shortly repay $9,300 worth of Ethereum and Booty coins directly to users’ SpankPay accounts via Ethereum airdrop.
The SpankChain team has subsequently halted its camservice Spank.Live in order to prevent users from depositing via the payment channel smart contract. The website reboot is expected to take around two to three days in order to reset the payment channel smart contract, carry out airdrop reimbursements, reset native token distribution, and eliminate the security weakness.
The attack was related to a “reentrancy” bug similar to that which exploited The Decentralized Autonomous Organization (The DAO). The hacker reportedly created a malicious contract mimicking an ERC20 token, with a “transfer” function calling back into the payment channel smart contract multiple times in a loop, extracting Ethereum each time.
A smart contract is a protocol that enables the specific behavior of a contract by applying the terms of the agreement into the code, eliminating the need for a third party intermediary.
While smart contracts are reportedly “extremely difficult to hack,” they are still a young technology, and can be prone to bugs, which may in turn be exploited by scammers.
The adult entertainment industry is increasingly taking advantage of cryptocurrencies and blockchain technology, mostly driven by the technology’s inherent anonymity, as well as a number of other benefits.