Ethereum-Based Adult Entertainment Platform SpankChain Suffers $38,000 Hack

News | October 10, 2018 By:

SpankChain, an ethereum-based adult entertainment platform, has suffered a security breach that resulted in a loss of around $38,000 in ethereum.

SpankChain describes itself as a “blockchain-based economic and technological infrastructure for the adult industry.” Its existing products include Vynos, a peer-to-peer micropayment-processing wallet, and a streaming infrastructure for live broadcasting of high-quality videos.

In a blog post, SpankChain disclosed that an unknown hacker drained 165.38 ETH ($38,000) from their payment channel smart contract. The hack, which took place October 6, also resulted in $4,000 worth of SpankChain’s BOOTY token on the contract becoming immobilized. $9,300 worth of stolen ETH and immobilized BOOTY belonged to users, and the rest belonged to SpankChain.

“Unfortunately, as we were in the middle of investigating other smart contract bugs, we didn’t realize the hack had taken place until 7:00pm PST Sunday, at which point we took Spank.Live offline to prevent any additional funds from being deposited into the payment channels smart contract,” the SpankChain team said.

The SpankChain team said the hacker exploited a “reentrancy” bug, similar to the one used in the Decentralized Autonomous Organization (DAO) hack in 2016. The hacker reportedly created a malicious contract masquerading as an ERC20 token, where the “transfer” function called back into the payment channel contract multiple times, draining some ETH each time.

SpankChain said their immediate priority will be to provide complete reimbursements to all users who lost funds. The team said they are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users.

“As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” SpankChain said.