“We got spanked.”
That’s the message that SpankChain, the initial coin offering (ICO) funded adult entertainment website, used to inform its users that a hacker had exploited a bug in one of its smart contracts to abscond with 165.38 ETH, worth about $38,000 at the time of the theft. Another $4,000 worth of the platform’s ICO token, BOOTY, was immobilized as a result of the breach, bringing the total economic impact of the hack to about $42,000.
The hack occurred at roughly 6 pm PST on Saturday, though the company did not discover the theft until the following evening, at which point it took the website offline to prevent further breaches.
“Unfortunately, as we were in the middle of investigating other smart contract bugs, we didn’t realize the hack had taken place until 7:00pm PST Sunday, at which point we took Spank.Live offline to prevent any additional funds from being deposited into the payment channels smart contract,” the announcement read.
According to SpankChain, the hacker exploited a “reentrancy” bug, similar to the one used in the infamous DAO hack.
“In short, the attack capitalized on a ‘reentrancy’ bug, much like the one exploited in The DAO. The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time.”
The company admitted that it had failed to pay for a security audit of its payment channel smart contract, which could have cost as much as $50,000 — well above the amount of funds affected by the hack. Nevertheless, SpankChain said that it realizes now that it should have paid for the audit, expensive though it may have been.
“As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” the company said.
Most of the affected funds belonged to SpankChain. However, about $9,300 worth of the stolen and immobilized funds belonged to users. Consequently, the company, which raised $7.2 million through its ICO in late 2017, said that it would airdrop $9,300 in ETH to affected users’ SpankPay accounts following the website’s reboot within the next several days.
As CCN reported, SpankChain is just the latest in a long line of Ethereum projects that have lost money when hackers exploited bugs in their smart contracts.
In July, decentralized exchange (DEX) Bancor lost $23 million in ETH and other ethereum tokens when a hacker compromised a wallet used to upgrade some of the platform’s smart contracts. That same month, KICKICO lost 70 million KICK worth $7.7 million when a hacker managed to gain control of the project’s smart contract.
Previously, a smart contract governing multi-signature ethereum wallets suffered multiple security breaches, resulting in a $32 million theft and $150 million in permanently-frozen funds. Such hacks have led Litecoin creator Charlie Lee to suggest that Solidity, the native programming language of Ethereum smart contracts, is a “hacker paradise.”
However, the problem is not isolated to Ethereum. In September, several decentralized applications (dApps) running on the EOS network were exploited as the result of smart contract bugs as well. At least two gambling dApps were affected, losing a collective $260,000 when hackers discovered a way to place bets without having to stake any real tokens, allowing them to gamble consequence-free.