This crypto-awareness series is brought to you by COINFIRM, and is dedicated to documenting interesting or high profile frauds/hacks etc that recently happened and have been reported into the AMLT Network.
On the 6th of October, an unknown hacker managed to exploit a smart contract that belonged to an adult entertainment website SpankChain. Their ICO contract was drained of 165.38 ETH (worth around $38,000 at the time of the attack) while the attack also froze another $4,000 worth of the platform’s “BOOTY” tokens according to SpankChain.
The hacker has exploited a known smart contract “reentrancy” attack, one that was famously used to steal 12.7 million ETH from “The DAO”, which helped lead to the split between Ethereum and Ethereum Classic.
A reentrancy attack simply explained is an attack vector that aims to interrupt the contracts balance verification function while simultaneously asking it to transfer back the ether previously sent there. In order to achieve that, the attacker creates a malicious contract, tricking the original one into sending additional funds to the attacker in a loop, as the line responsible for verifying the balance is executed after making the transfer, and the attacking contract interrupts the ICO contracts execution, allowing for additional withdrawals.
The attack having taken place at 6pm PST Saturday went unnoticed for a whole day, after which, SpankChain was taken offline in order to prevent any additional losses. The company has also stated, that they decided against a security audit of their contract before, reason being the high price of it.
Funnily enough, the mentioned cost of $50,000 per audit outweighs the initial monetary losses incurred from the hack. SpankChain has, as expected, promised to fully reimburse their clients, but had to alter their site functionality due to the 4,000 BOOTY tokens being frozen.
Fortunately, the story comes to a happy end, as SC was able to contact the hacker and recover the stolen funds. The hacker was also able to retrieve the previously immobilized tokens and was was later rewarded a total of $9,000 along with returning the 5.5 ETH used to launch the attack.
Whenever an attack like this occurs, anyone can report it through AMLT panel or widget. The submitted data is then analyzed and processed by our team. Flagging actions like these helps us fight any malicious actors in the crypto space, as seen below on the Coinfirm AML Risk Report created for the SpankChain hackers address: