SpankChain is blockchain based cryptocurrency project which focuses on the Adult Entertainment Industry with the intention of delivering a decentralised adult social network, with integrated payments and self-sovereign identities. BOOTY is the ERC-20 Token that is used to tip performers during live webcam shows.
The SpankChain team revealed details about the hack, in a blog post on Tuesday, saying that 165.38 Ethereum (ETH) amounting to about 38,000 USD at the time had been lost on Saturday at around 18:00 PST. This breach also caused another 4000 USD in SpankChain’s BOOTY token to be frozen.
Spankchain stated that they had taken till 7:00 PST on Sunday to realise that the hack had taken place, as they were in the middle of investigation other smart contract bugs. They then took immediate steps to prevent any additional funds from being deposited into the payment channels smart contract.
It now seems that the hack was due to a “reentrancy” bug. The hacker allegedly had created a malicious contract which was posing as an ERC20 token, where the “Transfer” function was reverting to the payment channel contract, multiple time, thus draining some ETH every time. SpankChain, however, has promised that they will undertake an in-depth investigation to get to the bottom of this hack. The use of BOOTY tokens meanwhile has been limited for the time being.
According to the details released by them, out of the cryptos stolen, 9,300 USD worth of ETH and BOOTY belonged to the users, and the rest to the project. Spankchain has however given assurance that the users will be sent a full refund, on their SpankPay accounts, as soon as Spank.Live is rebooted. The firm has pledged that it will take efforts to improve their security practices and has spoken about getting numerous internal audits for the smart contract code they publish, and at least one professional external audit.