On Thursday (11 October 2018), LA-based SpankChain, which provides a blockchain-powered payment service solution for the adult entertainment industry, announced that the attacker who had stolen 165.38 ETH from them had returned the funds. 

On Tuesday (October 9th), as covered by CryptoGlobe, Spankchain announced that it had gotten “spanked”:

“At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which also resulted in $4,000 worth of BOOTY on the contract becoming immobilized. Of the stolen/immobilized ETH/BOOTY, 34.99 ETH (~$8,000) and 1271.88 BOOTY belongs to users (~$9,300 total), and the rest belonged to SpankChain.”

SpankChain explained that the hacker had exploited a “reentrancy” bug, “much like the one exploited in The DAO”, and that the attacker had created “a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time.” The company also admitted that it had decided to “forego a security audit for the payment channel contract” because the security audit would have cost them between $30,000 and $50,000.

Then, last night, SpankChain reported on Twitter that CEO Ameen Soleimani had spoken to the hacker on the phone and reached a deal with him/her:

SpankChain used the following tweet, which contains a link to an Etherscan page showing the transfer of “the hacked ETH” to one of the company’s ETH wallets:

What is interesting is that Etherscan shows the amount of ETH received by SpankChain from the hacker was 170.35 rather than 165.38 (which they had originally reported was stolen from them):

Etherscan Screenshot.png

SpankChain also tweeted that the hacker had also helped to recover the roughly 4000 BOOTY tokens that had been “immobilized”as a result of the attack:

The SpankChain CEO had this to say about the happy ending to all of this drama:

 

Featured Image Credit: Photo via Pexels.com