Hackers hit SpankChain stealing $38,000 by exploiting a bug in the payment channel

• Approximately 165.38 Ethereum, valued around $38,000 dollars, was stolen by hackers on Saturday.
• The attack occurred due to a “reentrancy” bug, similar to the flaw that resulted in a major hack of the DAO crypto project in 2016.

SpankChain, a cryptocurrency focused on the adult industry, lost $38,000 after a hacker stole a ton of Ethereum by exploiting a smart contract bug. SpankChain functions based on an Ethereum-based smart contract that utilizes Ethereum and a smart token named BOOTY.

The BOOTY token was used by SpankChain users to tip adult models during live cam shows. Out of the $38,000 worth of stolen funds, nearly $9,300 worth, Etheremu and BOOTY tokens belonged to multiple SpankChain users, while the remainder belonged to SpankChain.

The SpankChain team disclosed the breach in a statement which revealed that approximately 165.38 Ethereum, valued around $38,000 dollars, was stolen by the hacker at around 18:00 PST on Saturday.

Hacker used a “reentrancy” bug

The incidents occurred due to a bug in the SpankChain network’s payment channel smart contract, which also resulted in freezing $4,000 worth of SpankChain’s BOOTY tokens. The developer also said that the attack was due to a “reentrancy” bug, similar to the bug that resulted in a major hack of the DAO crypto project in 2016.

"The attacker created a malicious contract masquerading as an ERC20 token, where the 'transfer' function called back into the payment channel contract multiple times, draining some ETH each time," the SpankChain team said, adding that it will undertake an "in-depth investigation of the attack" in the future.

SpankChain said that it took approximately 24 hours to discover the attack. The company has vowed to refund the $9,300 dollars worth of stolen funds to its users. It also intends to keep the Spank.live services offline until bugs have been fixed and the system upgraded with a new payment channel contract. The firm has also imposed temporary limits on the use of the BOOTY tokens.

“As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” SpankChain said.