Hacker penetrates Spankchain smart contract, escapes with booty
A hacker exploited a re-entrancy bug in the Spankchain payment channel contract.
At 6pm PST Saturday, Spankchain was hit with a hack attack. The theft was discovered the next day, at which point Spankchain immediately took its video channel offline.
It soon became apparent that the unknown attacker drained 165.38 ETH (worth about US$38,000) from the Spankchain payment channel smart contract, which also resulted in $4,000 worth of BOOTY tokens becoming immobilised.
And as you may have guessed, or already know, Spankchain is an adults-only blockchain.
Anatomy of a vulnerable contract
The attacker penetrated Spankchain through a so-called "re-entrancy" bug, Spankchain explains. This involves the use of a malicious contract that masquerades as an ERC20 token.
Essentially this exploit involved the creation of a payment channel with this malicious contract. The channel would then repeatedly re-enter a specific command, "LCOpenTimeout". This command was intended to let someone quickly pull out of a payment channel that had not yet been joined by a counterparty, and get a refund of their ETH deposit balance in the process.
However, an oversight in Spankchain's programming meant that the payment channel was only actually closed after the refund token transfer.
So by repeatedly entering the command before the channel closes, the hacker could make the contract emit multiple refunds. Hence the name "re-entrancy bug". Spankchain describes it as an exploit similar to what happened with the DAO attack.
All affected customers will be unaffected shortly. Those who lost funds will be given a full BOOTY and ETH reimbursement. There's no need to do anything, so customers can just sit back and relax while the Spankchain team does its thing.
But in the meantime, Spankchain plans to keep its streaming site down for the next two or three days while it updates and redeploys the payment channel, and works on a few other bugs it's discovered.
Getting their money's worth
Spankchain opted not to undergo a security audit for the affected contract.
Ironically, they note, a security audit could well have been more expensive than this hack. The hacker stole/destroyed about $42,000 worth of crypto, but Spankchain was being quoted $30,000 to $50,000 for an audit of its payment channel. So in that respect, the hacker delivered decent value for money.
Although "taking into account both the perception value and opportunity cost of the time spent reacting to the hack, [the audit] would have been worth it," Spankchain concedes.
"This is due to our agile development process, the site being in beta, and how quickly we've been iterating and redeploying the contracts (of which we’re pushing every 2-3 weeks). This identified an issue in our development and deployment process, and we’ll make the appropriate changes to help ensure it doesn't happen again – while still innovating at the pace you all are familiar with," Spankchain explains.
"As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit."
It just goes to show that any security hole can represent a potential goal for attackers, and that small oversights can leave a project wide open. And even in the case of relatively small attacks like this, the costs tend to run higher than the cost of just getting that audit in the first place.
Ethereum smart contract bugs are extremely common, to the extent that they're forming a body of research in their own right. In this case, the flawed Spankchain contract can be classified as a "prodigal" contract.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA