SpankChain Hacker Returns Stolen Ethereum, Earns $9,000 Reward
The hacker who stole nearly $40,000 in ethereum from adult entertainment startup SpankChain has returned the stolen cryptocurrency, the company announced last night.
According to messages posted on the company’s official Twitter account, SpankChain CEO Ameen Soleimani reached an agreement with the anonymous hacker after speaking to them on the phone.
Following that conversation, the hacker provided SpankChain with the private key to an address holding the stolen funds and then further helped the company retrieve a few thousand dollars’ worth of funds that had been immobilized during the attack.
In return, SpankChain sent the hacker $5,000 as a bounty reward, purchased the formerly-frozen tokens back from them for $4,000, and returned the 5.5 ETH the hacker had used when launching the attack in the first place.
As CCN.com reported, the hack occurred last Saturday when the attacker successfully exploited a “reentrancy” bug in one of SpankChain’s smart contracts. The bug, similar to the one that led to the infamous downfall of The DAO, allowed the attacker to trick the SpankChain contract into allowing them to withdraw funds, even after the attacker’s payment channel balance had gone below zero.
The hacker originally made off with $38,000 in ethereum, and the attack immobilized a further $4,000 worth of SpankChain’s initial coin offering (ICO) token, BOOTY. Most of those funds belonged to the company, who had planned a $9,300 airdrop to compensate users for their losses.
Instead, the company paid out about $9,000 to the hacker, still far less than the $50,000 the company said that it would have cost to audit the smart contract prior to its deployment on the mainnet. However, the company has acknowledged in retrospect that the peripheral costs associated with foregoing that audit far exceeded the savings.
But while this specific incident was resolved remarkably amicably, computer scientist Emin Gün Sirer has warned that many Ethereum smart contracts remain vulnerable to reentrancy attacks. Subsequent hacks may not have quite such a happy ending.
Featured Image from Shutterstock
