“Our immediate priority has been to provide complete reimbursements to all users who lost funds,” reads yesterday’s blog post. “We are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users. Funds will be sent directly to users’ SpankPay accounts, and will be available as soon as we reboot Spank.Live.”
The camsite is expected to be down for the next 2-3 days, and possibly longer. SpankChain is planning on redeploying the payment channel smart contract with a patch to prevent future hacks and update Spank.live to use the new payment channel contract. All of the ETH and BOOTY lost in the attack will be returned to SpankPay accounts in an upcoming airdrop. The SpankChain team is preparing an in-depth investigation into the attack.
According to the announcement,
“By the time we reboot Spank.Live, all viewers and performers will have 100% of the total value in BOOTY+ETH they had in their SpankPay airdropped to their current SpankPay addresses, so users don’t need to do anything.
The site will continue to function exactly as it was before with a single exception — because of the 4,000 BOOTY currently immobilized, we will temporarily reduce the BOOTY limit for each viewer to 10 BOOTY. This means viewers will only be able to tip 10 BOOTY at a time, and upon spending all 10 BOOTY they will automatically recharge their 10 BOOTY with any extra ETH they have deposited, until they completely deplete their ETH balance.”
The attack capitalized on a “reentrancy” bug on the SpankChain platform, similar to the bug exploited in the DAO hack.
“The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time,” the company reports.
SpankChain has openly stated that it made the decision to pass on a security audit for one of its previous unidirectional payment channel contracts this year by Zeppelin, which would have cost $17,000. At the time, the payment channel contract had yet to exceed $17,000.
In the wake of this weekend’s attack, Zeppelin has quoted an audit of a separate and more sophisticated non-custodial SpankChain payment channel contract to be between $30,00-$50,00, which SpankChain has accepted.
“As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” SpankChain stated.