Users and developers suffered the consequences of the theft
SpankChain, a smart contract cryptocurrency specially focused on the adult entertainment industry, suffered a robbery of Ethereum for up to $38k USD due to an error in its smart contract payment system, as reported by specialists in cybersecurity and digital forensics from the International Institute of Cyber Security.
SpankChain is an Ethereum-based smart contact that uses Ethereum and a smart token called BOOTY to tip adult models during their online live shows. According to the security report published by SpankChain developers, the attack occurred around 6 PM last Saturday; the attacker would have stolen 165.38 units of Ethereum and immobilized more than 1.2k BOOTY tokens due to an error in his smart payment contract.
“At 6 PM on Saturday afternoon, an unknown attacker exhausted 165.38 Ethereum (about $38k USD) from our smart payment channel contract, which caused $4k USD in BOOTY tokens to remain immobilized”, reports the SpankChain digital forensics team’s announcement. “Out of the Ethereum units and BOOTY tokens stolen/immobilized, 34.99 Ethereum (about $8k USD) and 1271.88 BOOTY tokens (about $9.3 USD in total), belong to the users, the remainder belongs to SpankChain”.
This attack was not evident until Sunday at 7 PM, which caused them to disconnect their camera service Spank.live. SpankChain plans to replace the $9.3k USD in Ethereum that were stolen from its users. They also plan to keep their webcam service offline while correcting bugs and updating to a new payment channel contract.
The attack was possible thanks to a reentry flaw
According to the announcement of the SpankChain digital forensics team, in the attack a reentry vulnerability was used to steal the cryptocurrency of the compromised site.
A re-entry attack occurs when an attacker is able to repeatedly call a function in the smart contract before the previous functions finish its execution. This allows the attackers to repeatedly withdraw the cryptocurrency before the contract realizes that there is no balance.
“In other words, the attack capitalized a reentry error, much like the one used in the attack on The DAO”, mention the operators of SpankChain. “The attacker created a malicious contract masked as an ERC20 token, where the “transfer” function was executed multiple times to extract the virtual assets from the site.”
Reports indicate that SpankChain would have opted not to do a security audit in past months, as this would have worth between $30k and $50k USD, considering that the price was too high. This is further proof that there is no price too high to ensure the security of a site compared to the price you have to pay after a cyberattack.