Ethereum-based smart contract platform SpankChain suffered a hack attack in early October 2018, losing about 165.38 ETH worth $38,000 at the time and 4,000 BOOTY tokens, worth about $4,000.
Two days after SpankChain disclosed the news of an attack, the hacker had reportedly returned all the stolen funds, earning a reward in the form of a bounty. Here’s what happened.
On October 6, 2018, an attacker exploited a vulnerability in SpankChain’s smart contract, a payment platform that uses its ERC20 token BOOTY to tip adult entertainers.
The hacker made off with the $38,000 worth of Ether (ETH0 and immobilized about 4,000 BOOTY tokens in the process.
In its own words, SpankChain reported that it hadn’t noticed it had suffered the breach because it was “in the middle of investigating other smart contract bugs.” It meant that it took the better part of a day for it to realize it had lost the funds.
SpankChain’s swift reaction
In the aftermath of the attack, SpankChain reacted swiftly, acknowledging the security breach and then quickly promising to reimburse all the affected users.
The team also provided a detailed report of what had transpired, including information on the attacker’s address and their malicious contract. The post also explained that the hacker had exploited a “reentrancy” bug in its smart contracts, the same type of attack as the one that shattered the DAO for Ethereum.
Rather than dwell on their failures, the company took full responsibility and quickly planned an ETH airdrop to refund its users who had lost $9,300 in the hack. Behind the scenes, the SpankChain team established communication with the hacker, in a bid to save the Ethereum and BOOTY.
Operation ‘Save My Ass’ succeeds
According to the adult entertainment startup’s official Twitter account, CEO Ameen Soleimani managed to strike a deal with the hacker after speaking to them on the phone.
The agreement saw the anonymous hacker hand over the private key to the address where the stolen funds were held. And it did not end there, as the hacker also helped SpankChain to retrieve the approximately 4,000 BOOTY which the attack had immobilized.
In a clearly ‘good natured’ kind of business, SpankChain paid $5,000 as a bounty reward in return for the private key. It also gave the hacker their 5.5 ETH used to launch the attack, as well as re-purchased the unfrozen tokens for $4,000. In total, the hacker got $9,000 for exposing the platform’s vulnerability, not a terrible deal.
Even though SpankChain has managed to find a quick resolution to the ‘unfortunate’ attack, experts have cautioned that so many of the Ethereum-based smart contracts are vulnerable to DAO-style reentrancy attacks.