Cryptocurrency project SpankChain focused on the industry of adult entertainment, has suffered from unauthorised access, resulting in lost about $40,000 in ETH.
On 9 October in his blog, the team SpankChain said the burglary, stating that on Saturday, October 6, was lost ETH 165,38 ($38 000 at the time). The MiTM was possible because of an error in a smart contract payment channel network. It also forced the team to freeze $4000 tokens BOOTY network SpankChain.
Apparently, the team took more than a day to understand what happened hacking:
Unfortunately, because we studied other errors smart contract we could not understand what the hack happened to seven p.m. Pacific time on Saturday. After that, we transferred Spank.Live offline to avoid any additional funds in the smart contracts payment channels.
Of the stolen cryptocurrency ether and BOOTY for $9300 belonged to the users, and the rest of the project. Customers promise to return all funds. They will be available after you restart Spank.Live.
While the team came to the conclusion that the attack was caused by so-called error re-entry similar to that allowed serious hacking DAO in 2016. Promising a “thorough investigation” in the coming days, representatives of the project said:
The attacker set up a malicious contract that masquerades as a token ERC20, where the function “forwarding” have repeatedly returned to the contract payment channel and merged funds.
In SpankChain also acknowledged that I saved on the audit security for smart-contract payment channel and now I regret it.