CYBERSPACE — SpankChain, a cryptoeconomic-powered adult entertainment ecosystem, said today that it suffered a breach that saw $38,000 in ethereum (ETH) stolen over the weekend.
SpankChain said that the intrusion occurred on Saturday at 6 p.m. (PDT), but that it only found out about the breach on Sunday.
In addition, about $4,000 in SpankChain BOOTY, the token used to pay the fees associated with using SpankChain services, was frozen.
As a result of the breach, SpankChain officials took Spank.live offline to prevent any additional funds from being pilfered.
Today, in an announcement on Medium.com titled "We Got Spanked," SpankChain said the service could be down for two to three days, and possibly even longer.
“Our immediate priority has been to provide complete reimbursements to all users who lost funds,” SpankChain officials said. “We are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users. Funds will be sent directly to users’ SpankPay accounts, and will be available as soon as we reboot Spank.live.
“By the time we reboot Spank.live, all viewers and performers will have 100 percent of the total value in BOOTY+ETH they had in their SpankPay airdropped to their current SpankPay addresses, so users don’t need to do anything.
“The site will continue to function exactly as it was before with a single exception — because of the 4,000 BOOTY currently immobilized, we will temporarily reduce the BOOTY limit for each viewer to 10 BOOTY. This means viewers will only be able to tip 10 BOOTY at a time, and upon spending all 10 BOOTY they will automatically recharge their 10 BOOTY with any extra ETH they have deposited, until they completely deplete their ETH balance.”
SpankChain said that Saturday's attack capitalized on a “reentrancy” bug.
“The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time,” SpankChain said.
SpankChain pledged that it would improve security protocol by “making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit.”