View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 10, 2018

SpankChain Forgoes Security Audit on Smart Contract, Guess What…

“Taking into account both the perception value and opportunity cost of the time spent reacting to the hack, it would have been worth it.”

By CBR Staff Writer

Hackers have exploited a bug in the smart contracts of an adult industry focused cryptocurrency.

The Ethereum based smart contract uses a smart token ‘creatively’ named BOOTY for adult industry enterprise SpankChain, who were on the receiving end of a £28,000 hacking by threat actors.

The company announced on Medium that: “At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which also resulted in $4,000 worth of BOOTY on the contract becoming immobilized.”

The threat actor’s poor conduct went unnoticed for a whole day until SpankChain realised on Sunday at 7pm, getting a grip with the seriousness of the situation the company suspended all of its online services while it tried to contain the issue.

SpankChain have suspended its website while it redeploys the payment channel smart contract with a patch to stop further attacks. It will also refund all users who have been affected by the hack.

SpankChain

The company stated in the post that the: “Attack capitalized on a “reentrancy” bug, much like the one exploited in The DAO. The attacker created a malicious contract masquerading as an ERC20 token, where the “transfer” function called back into the payment channel contract multiple times, draining some ETH each time.”

“The malicious contract first called createChannel to set up the channel, then called LCOpenTimeout repeatedly via reentrancy. The LCOpenTimeout is there to allow users to quickly exit payment channels which have not yet been joined by the counter-party,” they reported.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

See Also: Google Restricts Gmail API Access, Kills Google+ After Data Exposed

SpankChain admitted that the problem is mostly their fault as for a previous unidirectional payment channels library they operated they had Zeppelin conduct an audit which cost $17,000, this they felt was a bit too expensive.

So when it came to do the same security diligence on a: “Far more sophisticated non-custodial payment channel contract” the company decided that the quoted $30,000 – $50,000 for the security audit was too costly.

Fortunately after receiving a hard spanking the company has learnt their lesson noting that: “Taking into account both the perception value and opportunity cost of the time spent reacting to the hack, it would have been worth it.”

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU