Cyber Incident Victim: SpankChain

On October 6, 2018, at approximately 6 PM PST, an attacker exploited a vulnerability in SpankChain’s payment channel smart contract, resulting in the theft of 165.38 Ethereum (valued at $38,000 USD) and the immobilization of 12,701.88 BOOTY tokens. SpankChain, an Ethereum-based platform facilitating cryptocurrency payments for adult entertainment services, utilized BOOTY tokens for tipping performers during live cam sessions. The attacker executed a reentrancy attack by deploying a malicious contract disguised as an ERC20 token. This contract repeatedly invoked the payment channel’s transfer function before prior transactions finalized, enabling successive withdrawals of Ethereum from the platform’s reserves. The method mirrored the 2016 DAO attack, exploiting delayed balance updates within the smart contract’s code.

SpankChain detected the breach on October 7 at 7 PM PST, 25 hours after the initial attack, prompting an immediate shutdown of its Spank.live service. The company pledged to reimburse affected users $9,300 worth of Ethereum and suspended cam operations indefinitely to address vulnerabilities and migrate to an upgraded payment contract. A post-incident analysis confirmed the exploit stemmed from the unaddressed reentrancy bug. SpankChain disclosed that they had foregone a pre-launch security audit due to quoted costs of $30,000–$50,000, a decision they later acknowledged as flawed given the financial and operational repercussions of the breach. The incident disrupted platform operations, necessitating service downtime for remediation and exposing risks associated with unaudited smart contract deployments.