main page >

 

AMLT Crypto Alert of the Week - SpankChain Hack and Smart Contract Vulnerabilities

Oct 25, 2018

about us

A recognised leader in their field and ranked among the most influential and regtech companies, Coinfirm serves as a foundation for the safe adoption and use of blockchain.


follow us

AMLT Crypto Alert of the Week

Welcome to week 11 of the Crypto Alert of the Week series by AMLT, a series dedicated to documenting interesting or high profile frauds/hacks etc that recently happened and have been reported into the AMLT Network and show how the AMLT Network can help track and prevent it in the future.

This week we once again delve into the world of smart contract vulnerabilities. On the 6th of October, an unknown hacker managed to exploit a smart contract that belonged to an adult entertainment website SpankChain. Their ICO contract was drained of 165.38 ETH (worth around $38,000 at the time of the attack)while the attack also froze another $4,000 worth of of the platform’s “BOOTY” tokens according to SpankChain.


The hacker has exploited a known smart contract “reentrancy” attack, one that was famously used to steal 12.7 million ETH from “The DAO”, which helped lead to the split between Ethereum and Ethereum Classic.

A reentrancy attack simply explained is an attack vector that aims to interrupt the contracts balance verification function while simultaneously asking it to transfer back the ether previously sent there. In order to achieve that, the attacker creates a malicious contract, tricking the original one into sending additional funds to the attacker in a loop, as the line responsible for verifying the balance is executed after making the transfer, and the attacking contract interrupts the ICO contracts execution, allowing for additional withdrawals.

The attack having taken place at 6pm PST Saturday went unnoticed for a whole day, after which, SpankChain was taken offline in order to prevent any additional losses. The company has also stated, that they decided against a security audit of their contract before, reason being the high price of it.

Funnily enough, the mentioned cost of $50,000 per audit outweighs the initial monetary losses incurred from the hack. SpankChain has, as expected, promised to fully reimburse their clients, but had to alter their site functionality due to the 4,000 BOOTY tokens being frozen.

Fortunately, the story comes to a happy end, as SC was able to contact the hacker and recover the stolen funds. The hacker was also able to retrieve the previously immobilized tokens and was was later rewarded a total of $9,000 along with returning the 5.5 ETH used to launch the attack.

Whenever an attack like this occurs, anyone can report it through AMLT panel or widget. The submitted data is then analyzed and processed by our team. Flagging actions like these helps us fight any malicious actors in the crypto space, as seen below on the Coinfirm AML Risk Report created for the SpankChain hackers address:

If you're interested in partnering with Coinfirm or becoming an AMLT Network Member then contact us!

Thank you for your continued support and make sure to follow all of our latest updates on Twitter, Facebook, LinkedIn and Telegram Community.

Sincerely,
The AMLT Team