On October 7th, unknowns stripped the SpankChain porn platform of about 165 ethers. Their development team, which was busy with other things, discovered the theft only after one hour. The platform remains offline until the incident is cleared up.
“We got our ass kicked” – the team from SpankChain, a crypto ecosystem for consumers and producers of pornography, does not mince its words in view of the recent incident. As the company announced by medium mail on 9 October, SpankChain fell victim to a hacker attack on 7 October at 6 p.m. PST. Since the developers of SpankChain were busy with bugfixes at that time, they did not notice the attack at first:
“Unfortunately, we were in the middle of an investigation into other Smart-Contract bugs, so we didn’t notice the hack until about 19:00 PST. We then immediately took Spank. Live offline to prevent further payments into the Payment Channel’s Smart Contract.”
As first investigations by SpankChain have shown, the attacker has exploited a “reentrancy bug”. The vulnerability in the protocol allowed the hacker to set up a malicious smart contract disguised as a token. With this, he succeeded in removing ether from various wallets. A reentrancy bug also played a central role in the legendary DAO hack in 2016.
Main victim: SpankChain
The main victim was SpankChain itself. With around 130 ETH, the majority of the stolen 165.38 ethers belonged to the company. Accordingly, the users had to record a loss of almost 35 ETH, which corresponds to about 8,000 US dollars at the current exchange rate. In addition to ether, the attacker has rendered the platform’s own BOOTY tokens worth the equivalent of 4,000 US dollars unusable. The users owned 1,300 US dollars of it so that their total damage amounts to around 9,300 US dollars. SpankChain lost a total of approximately $33,000 as a result of the attack.
The company has promised the users compensation. This is to take place by Ether-Airdrop and compensate 100 percent of the losses in BOOTY and Ether. The company’s webcam site will remain offline until the vulnerability has been closed and the originally investigated bugs have been fixed. SpankChain expects this to take two to three days but does not rule out an extension of this period.