Hacker penetrates Spankchain smart contract, escapes with booty

Posted: 10 October 2018 7:01 pm
shutterstock crypto blockchain network circles 450x250
{"theme":"dark","direction":"horizontal","showArrows":true,"splitTitle":true,"playerOptions":{"captions":true,"popupOnScroll":true,"subscribe":{"title":"Subscribe","url":"https://www.youtube.com/channel/UCKvc0WUB65GCvOTgPVJ9yRA?sub_confirmation=1","visibleOnMain":true,"visibleOnPopup":true}},"active":{"index":0,"start":52,"end":null,"thumb":"https://dvh1deh6tagwk.cloudfront.net/finder-au/wp-uploads/2018/10/Harry-Generic.jpg","thumbAnimation":"kenburns-top-right","heading":{"small":"WATCH","large":"Venezuela launches the oil backed Petro at last.

A hacker exploited a re-entrancy bug in the Spankchain payment channel contract.

At 6pm PST Saturday, Spankchain was hit with a hack attack. The theft was discovered the next day, at which point Spankchain immediately took its video channel offline.

It soon became apparent that the unknown attacker drained 165.38 ETH (worth about US$38,000) from the Spankchain payment channel smart contract, which also resulted in $4,000 worth of BOOTY tokens becoming immobilised.

And as you may have guessed, or already know, Spankchain is an adults-only blockchain.

Anatomy of a vulnerable contract

The attacker penetrated Spankchain through a so-called "re-entrancy" bug, Spankchain explains. This involves the use of a malicious contract that masquerades as an ERC20 token.

Essentially this exploit involved the creation of a payment channel with this malicious contract. The channel would then repeatedly re-enter a specific command, "LCOpenTimeout". This command was intended to let someone quickly pull out of a payment channel that had not yet been joined by a counterparty, and get a refund of their ETH deposit balance in the process.

However, an oversight in Spankchain's programming meant that the payment channel was only actually closed after the refund token transfer.

So by repeatedly entering the command before the channel closes, the hacker could make the contract emit multiple refunds. Hence the name "re-entrancy bug". Spankchain describes it as an exploit similar to what happened with the DAO attack.

Customer service

All affected customers will be unaffected shortly. Those who lost funds will be given a full BOOTY and ETH reimbursement. There's no need to do anything, so customers can just sit back and relax while the Spankchain team does its thing.

But in the meantime, Spankchain plans to keep its streaming site down for the next two or three days while it updates and redeploys the payment channel, and works on a few other bugs it's discovered.

Getting their money's worth

Spankchain opted not to undergo a security audit for the affected contract.

juicy crypto words

Ironically, they note, a security audit could well have been more expensive than this hack. The hacker stole/destroyed about $42,000 worth of crypto, but Spankchain was being quoted $30,000 to $50,000 for an audit of its payment channel. So in that respect, the hacker delivered decent value for money.

Although "taking into account both the perception value and opportunity cost of the time spent reacting to the hack, [the audit] would have been worth it," Spankchain concedes.

"This is due to our agile development process, the site being in beta, and how quickly we've been iterating and redeploying the contracts (of which we’re pushing every 2-3 weeks). This identified an issue in our development and deployment process, and we’ll make the appropriate changes to help ensure it doesn't happen again – while still innovating at the pace you all are familiar with," Spankchain explains.

"As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit."

It just goes to show that any security hole can represent a potential goal for attackers, and that small oversights can leave a project wide open. And even in the case of relatively small attacks like this, the costs tend to run higher than the cost of just getting that audit in the first place.

Ethereum smart contract bugs are extremely common, to the extent that they're forming a body of research in their own right. In this case, the flawed Spankchain contract can be classified as a "prodigal" contract.

Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site