A cunning hacker robbed SpankChain

Stealing a tip from a stripper is like stealing candy from a child. It's just not pretty. Someone needs to tell this to the scoundrel who managed to steal 165.38 ETH ($34,000) using a bug in one of SpankChain's smart contracts.

SpankChain is an Ethereum-based smart contract, and BOOTY is an ERC-20 token that is issued to dancers during live webcam performances. During the hack, $4,000 worth of BOOTY tokens were also frozen due to a security breach.

SpankChain did not announce the attack on its website until the next 24 hours because it was busy investigating other smart contract errors and did not notice the incident. And although the investigation is still ongoing, the company explained in detail how exactly this happened, indicating the address of the attacker, the malicious contract and the internal transactions associated with it. It turns out that the hacker used the same bug that another hacker used in an attack on the DAO project. Namely: a bug called “recursive call”, which allows you to repeatedly withdraw tokens and recollect ETH within the same transaction. 

It should be noted that SpankChain took this more seriously than many other sites that fall victim to security flaws, and has set itself the task of compensating all users who lost funds in the attack. The company plans to carry out an ETH airdrop on all of the stolen ETH and BOOTY worth $9,300.

The company has also now decided to pay an audit fee of $30,000 - $50,000, deeming Zeppelin's $17,000 audit to be insufficient. SpankChain said in a statement that paying more for security is a prudent, pragmatic decision.

The site has promised to improve its security practices in the future, and hopes that all users and dancers will collect even more BOOTY.

According to bitcoinist.com