SpankChain, an adult entertainment network based on Ethereum’s blockchain, recently faced a security breach resulting in approximately $38,000 USD in funds stolen.
The company announced the news in an update entitled “We Got Spanked: What We Know So Far“. The post explains that an anonymous hacker managed to get into their payment channel smart contract and drain 165.38 Ethereum (which is around $38,000 USD). The security breach also resulted in the freezing of $4000 USD worth of the platform’s token (BOOTY).
SpankChain explained the prime concern is the reimbursement of any funds that users might have lost:
“Our immediate priority has been to provide complete reimbursements to all users who lost funds. We are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users. Funds will be sent directly to users’ SpankPay accounts and will be available as soon as we reboot Spank.Live.”
The company’s adult camsite Spank.Live has been suspended to ensure that users do not sink funds into the breached system. SpankChain offered that it will be redeployed with a heightened security to avoid future hacks. According to the company, “all viewers and performers will have 100% of the total value in BOOTY+ETH they had in their SpankPay airdropped to their current SpankPay addresses” so they do not need to do anything moving forward.
SpankChain detailed that the attack exploited a “reentrancy” bug similar to that of the DAO. In the attack, the hacker created a malicious mining contract which imitated an ERC20 token. The contract had a “transfer” function called back into the payment channel contract multiple times, which stole Ethereum each time.
SpankChain concluded that they are stepping forward and putting structures in place to avoid another attack:
“As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit.”