SpankChain, an adult industry focused cryptocurrency, had $38,000 USD worth of Ethereum stolen due to a smart contract bug.
SpankChain is a Ethereum based smart contact that utilizes Ethereum and a smart token named BOOTY to tip adult models during live cam shows.
According to an announcement by the SpankChain developers, the attack occurred at 6PM PST on Saturday, where an attacker stole 165.38 Ethereum and immobilized 1,2701.88 BOOTY due to a bug in their payment channel smart contract.
"At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which also resulted in $4,000 worth of BOOTY on the contract becoming immobilized," stated the SpankChain announcement. "Of the stolen/immobilized ETH/BOOTY, 34.99 ETH (~$8,000) and 1271.88 BOOTY belongs to users (~$9,300 total), and the rest belonged to SpankChain."
This attack was not noticed until Sunday at 7 PM PST, which caused them to take their Spank.live cam service offline. SpankChain plans on replacing the $9,300 worth of Ethereum that was stolen from its users. They then plan on keeping their cam service offline while they fix bugs and upgrade to a new payment channel contract.
According to the announcement, the hack used a reentrancy attack to steal the cryptocurrency from SpankChain.
A reentrancy attack is when an attacker is able to repeatedly call a function in the smart contract before the previous function calls finished executing. This allows the attackers to repeatedly withdraw cryptocurrency before the contract realizes that there is no balance left.
"In short, the attack capitalized on a “reentrancy” bug, much like the one exploited in The DAO," stated the notice about the hack. "The attacker created a malicious contract masquerading as an ERC20 token, where the “transfer” function called back into the payment channel contract multiple times, draining some ETH each time."
Unfortunately, for SpankChain they had chosen not to do a security audit as they were quoted $30k-50K and felt that the price was not worth it. In hindsight, they now feel "it would have been worth it."