The attack, which allegedly took place Oct. 6, was discovered by SpankChain a day after, and was officially informed today in a post titled “We Got Spanked: What We Know So Far.”
Anonymous attackers were able to swindle 165.38 Ethereum (ETH) worth roughly $38,000 from the smart contract used by the payment channel of the platform. Additionally, the exploitation of vulnerability has resulted in the immobilization of $4,000 worth of BOOTY token, the native currency of SpankChain.
Though most of missing or immobilized reserves belong to SpankChain itself, the platform claimed that client reimbursements are of “immediate priority.” The company will soon send repay $9,300 worth of Ethereum and Booty coins directly to clients’ SpankPay accounts via Ethereum airdrop.
The SpankChain team has consequently stopped its camservice Spank.Live in order to stop users from depositing via the payment channel smart contract.
The website reboot is anticipated to happen in another two to three days in order to reset the payment channel smart contract, carry out airdrop reimbursements, reset native token distribution, and get rid of the security weakness.
The hack was connected to a “reentrancy” bug comparative to that which abused The Decentralized Autonomous Organization (The DAO). The hacker allegedly developed a malicious smart contract mirroring an ERC20 token, with a “transfer” function calling back into the payment channel smart contract numerous times in a loop, withdrawing Ethereum each time.
A smart contract is a software protocol that empowers the exact behavior of a contract by applying the provisions of the contract into the code, discarding the necessity for a third party intermediary.
While smart contracts are generally “extremely difficult to hack,” they are still a nascent technology, and can be prone to coding errors, which may in turn be abused by hackers.