SpankChain Smart Contract Compromised, Hackers Take $38,000 in Ethereum (ETH)

Blockchain-based adult entertainment protocol SpankChain revealed the theft of 165.8 ether (ETH), worth $38,000 at the time. The move occurred after hackers exploited a smart contract bug on the protocol, according to an official release on Oct.9.

SPANK is “Spanked”

As stated, the hack took place on Oct.6 when the SpankChain team was investigating multiple bugs on the $22.4 million-valued protocol. Of the total haul, 34.99 ETH and 1271.88 BOOTY tokens – which are generated when SPANK tokens are staked–belonged to users, and SpankChain owned the remainder.

The team swiftly took their Spank.Live streaming service offline on locating the theft, and have since closed their camsite to prevent the transactions of stolen funds into the payment channel’s smart contract. Interestingly, the team found out about the hack on Oct.7, a day later than the actual theft.

For the uninitiated, SpankChain’s is a multi-token protocol which utilizes SPANK tokens for staking purposes and creating smart contracts. Upon staking, users receive BOOTY tokens in proportion to their staked amount for use in purchasing the site’s services and tipping models. The latter are redeemable for SPANK tokens in the so-called SpankBank, and nefarious access to BOOTY tokens means free money for hackers if they encashed swiftly.

The team announced a refund of stolen funds to its users and are preparing an ETH and BOOTY airdrop worth $9,300–the amount stolen from user funds – to cover losses and create a strong brand image. Airdropped tokens will be deposited to a user’s SpankBank account and made available when Spank.Live is rebooted, with the team guaranteeing the tokens credited once all systems are running again.

SpankChain explained that the delay in launching the camsite is due to security and development reasons. The team is aiming to patch all bugs in the network, update Spank.Live with a new smart contract to prevent a repeat, and fix bugs discovered during the BOOTY upgrade.

As part of the smart contract’s inbuilt security, 4,000 BOOTY tokens were “immobilized” when the theft took place. However, while the site will function as normal, the locked tokens mean SpankChain will reduce the BOOTY limit for each viewer to ten per user–allowing tips of no more than the amount. Users depositing extra ETH without knowledge of this point need not despair as well, as additional funds shall be immediately recharged in tranches of 10 BOOTYs.

Attack Explained

Explaining the attack, the team believe hackers infiltrated a known “reentrancy” bug–the same fallacy explained the infamous DAO hack. Attackers created a smart contract disguised as an ERC20 token, where the “transfer” function allowed “paid” funds to be sent into the payment channel contract multiple times.

The malicious contract opened up a payment channel and allowed hackers to enter and exit the contract without the presence of a counter-party. Unfortunately, the native “LCOpenTimeout” function caused only on-chain to be deleted, and let hackers conduct another payment into the same contract; thus creating a loop. By transferring tokens to the smart contract and back, hackers were able to gain ETH equivalent to their initial SPANK balance.

SpankChain admitted they decided against a security audit for the payment channel contract, citing expensive cost. The company hired blockchain audit firm Zeppelin for investigating a unidirectional channels library bug but faced a conundrum when the audit’s fee of $17,000 exceeded the funds held by the contract.

In conclusion, the team noted all security bugs have been identified and are currently being repaired. Also, they are making it mandatory for multiple “internal” audits for all smart contract codes published on the SpankChain protocol, and “at least” one external audit.

For those interested, SpankChain has made public the hacker’s payment channel contract, attacker’s address, internal attacker’s address, malicious contract address.

Mentioned in this article

SpankChain Ethereum

Ad

WorkML.ai: Real World Data Annotation Hub Empowers AI with Crypto

Ad

CryptoSlate on X x.com/cryptoslate

Join our X community for real-time crypto news and expert insights.

Join 50k followers

Ad

Latest Ethereum Stories

Top 4 accounting firm turns to Ethereum for blockchain-based business contracts

Adoption 2 days ago

OCM is designed to facilitate the secure handling of business contracts on a public blockchain, ensuring privacy by utilizing zero-knowledge proofs to maintain contract integrity and confidentiality.

Bitcoin barely holds on to $60k as bears retest March lows

Crypto 2 days ago

The flagship crypto touched a low of $59,658 before modestly recovering to around $60,800 as of press time, based on CryptoSlate data.

EigenLayer removes caps, sees record $157 million inflow as Lido dominance dips

Crypto 3 days ago

Lido's Ethereum staking dominance wanes, drops under 30% due to inflows into restaking protocols.

Ethereum falls to lowest level against Bitcoin in 3 years amid panic selling

Crypto 3 days ago

ETH-BTC records lowest level since 2021 as Ethereum struggles against Bitcoin amid market dip.

You might also enjoy...

Bancor Exchange Hacked, $12M in Ether Stolen

Exchanges 6 years ago

Latest Alpha Market Report

Available exclusively via

From 2012 to 2024: Analyzing market conditions before each Bitcoin halving

Andjela Radmilac · 3 hours ago

As the fourth Bitcoin halving approaches, an in-depth look at past events offers insights into potential market impacts.

Latest Press Releases

View All

Merlin Chain Launches MERL: A Major Leap Forward in Bitcoin Layer 2 Solutions

News Desk 14 hours ago

Telos Partners with Ponos Technology to Develop Hardware-Accelerated Ethereum L2 zkEVM Network

Chainwire 15 hours ago

Gate.io Introduces Quant Fund – A New Era of Wealth Management for Digital Assets

News Desk 17 hours ago