SpankChain Smart Contract Compromised, Hackers Take $38,000 in Ethereum

The move occurred after hackers exploited a smart contract bug on the protocol, according to an official release on Oct.9.

Live streaming service offline on locating the theft, and have since closed their camsite to prevent the transactions of stolen funds into the payment channel's smart contract.

For the uninitiated, SpankChain's is a multi-token protocol which utilizes SPANK tokens for staking purposes and creating smart contracts.

Live with a new smart contract to prevent a repeat, and fix bugs discovered during the BOOTY upgrade.

As part of the smart contract's inbuilt security, 4,000 BOOTY tokens were "Immobilized" when the theft took place.

Attackers created a smart contract disguised as an ERC20 token, where the "Transfer" function allowed "Paid" funds to be sent into the payment channel contract multiple times.

The malicious contract opened up a payment channel and allowed hackers to enter and exit the contract without the presence of a counter-party.

By transferring tokens to the smart contract and back, hackers were able to gain ETH equivalent to their initial SPANK balance.

They are making it mandatory for multiple "Internal" audits for all smart contract codes published on the SpankChain protocol, and "At least" one external audit.

For those interested, SpankChain has made public the hacker's payment channel contract, attacker's address, internal attacker's address, malicious contract address.