Coinfirm documents interesting or high profile frauds and hacks that have recently happened and been reported into our networks to show how the Coinfirm can help track and prevent it in the future. Today we conduct an investigation into the SpankChain Hack and Smart Contract Vulnerabilities.
This week we once again delve into the world of smart contract vulnerabilities. On the 6th of October, an unknown hacker managed to exploit a smart contract that belonged to an adult entertainment website SpankChain. Their ICO contract was drained of 165.38 ETH (worth around $38,000 at the time of the attack) while the attack also froze another $4,000 worth of the platform’s “BOOTY” tokens according to SpankChain.
The hacker has exploited a known smart contract “reentrancy” attack, one that was famously used to steal 12.7 million ETH from “The DAO”, which helped lead to the split between Ethereum and Ethereum Classic.
A reentrancy attack simply explained is an attack vector that aims to interrupt the contracts balance verification function while simultaneously asking it to transfer back the ether previously sent there. In order to achieve that, the attacker creates a malicious contract, tricking the original one into sending additional funds to the attacker in a loop, as the line responsible for verifying the balance is executed after making the transfer, and the attacking contract interrupts the ICO contracts execution, allowing for additional withdrawals.
The attack has taken place at 6 pm PST Saturday went unnoticed for a whole day, after which, SpankChain was taken offline in order to prevent any additional losses. The company has also stated, that they decided against a security audit of their contract before, the reason being the high price of it.
Funnily enough, the mentioned cost of $50,000 per audit outweighs the initial monetary losses incurred from the hack. SpankChain has, as expected, promised to fully reimburse their clients, but had to alter their site functionality due to the 4,000 BOOTY tokens being frozen.
Fortunately, the story comes to a happy end, as SC was able to contact the hacker and recover the stolen funds. The hacker was also able to retrieve the previously immobilized tokens and was later rewarded a total of $9,000 along with returning the 5.5 ETH used to launch the attack.
Whenever an attack like this occurs, anyone can report it through the AML Platform. The submitted data is then analyzed and processed by our team. Flagging actions like these help us fight any malicious actors in the crypto space, as seen below on the Coinfirm AML Risk Report created for the SpankChain hacker’s address:
The Coinfirm Team