SpankChain, a cryptocurrency aimed at decentralized sex cams, has announced that a hacker stole about $38,000 from their payment channel thanks to a broken smart contract. They wrote:
At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which also resulted in $4,000 worth of BOOTY on the contract becoming immobilized. Of the stolen/immobilized ETH/BOOTY, 34.99 ETH (~$8,000) and 1271.88 BOOTY belongs to users (~$9,300 total), and the rest belonged to SpankChain.
Our immediate priority has been to provide complete reimbursements to all users who lost funds. We are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users. Funds will be sent directly to users’ SpankPay accounts, and will be available as soon as we reboot Spank.Live.
The hacker used a ‘reentrancy’ bug in which the user calls the same transfer multiple times, draining a little Ethereum each time. The bug is the same one that previously affected the DAO.
The company pointed out that a security audit on their smart contract would have cost $50,000, a bit more than the amount lost. “As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” they wrote.
I’ve reached out to the company for clarification but in short it seems the spanker has become the spankee.