The breach is reported to have taken place on 6th October, with SpankChain – a blockchain based economic and technological infrastructure for the adult industry – detecting it the following day. In a blog post on 9th October, the company informed users and sought to quell fears of larger security issues.
More than 165 ETH, which is worth around $38,000 (£28,800) was stolen, and thieves gained access through a bug in the network’s payment channel smart contract. In addition to the large sum of ethereum that was stolen, around $4,000 (£3,000) in SpankChain’s BOOTY tokens were also frozen.
SpankChain Security Breach
SpankChain sought to alleviate user concerns, but the timeframe has raised eyebrows. More than 24-hours passed before the intrusion was detected.
“Unfortunately, as we were in the middle of investigating other smart contract bugs, we didn’t realise the hack had taken place until 7pm PST Sunday,” the firm said. “At which point we took Spank.Live offline to prevent any additional funds from being deposited into the payment channels smart contract.”
In addition to this, SpankChain highlighted its failure to pay for a security audit for the payment channel; citing high costs.
“Taking into account both the perception value and opportunity cost of the time spent reacting to the hack, it would have been worth it,” the company conceded. Based on initial assessments, the attack was possible due to a “reentrancy” bug.
“The attacker created a malicious contract masquerading as an ERC20 token,” the blog post explained. “Where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time,”
While the total sum is significant, only $9,300 (£7,050) of both cryptocurrencies belonged to users – the remainder belonged to the project. Full refunds will be dispersed to affected users, the company said.
Delays of up to two or three days have been given to users while developers both establish the source of the attack and patch the issue. The redeployment of a new smart contract will also take place in the near future, the company confirmed.