Threat Watch

Payment Channel of SpankChain Exploited Leading to $38,000 Cash Out

A cryptocurrency by the name of SpankChain was robbed of 165.38 Ethereum-based smart tokens named BOOTY, with the total dollar amount being $38,000. The specific purpose of BOOTY coin was to compensate adult performers during their live camera shows. While the majority of the tokens belonged to SpankChain itself, $9,300 was taken from individual users of the service. It took SpankChain 24 hours to notice the attack that was caused by a reentrancy bug which the hackers found in the payment channel smart contract. “The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time,” the SpankChain team said. This bug is very similar to the one that caused the large-scale attack of DAO crypto project in 2016. Temporary limits were placed on the BOOTY coin until an investigation takes place in the near future.