On Thursday (11 October 2018), LA-based SpankChain, which provides a blockchain-powered payment service solution for the adult entertainment industry, announced that the attacker who had stolen 165.38 ETH from them had returned the funds.
"At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which also resulted in $4,000 worth of BOOTY on the contract becoming immobilized. Of the stolen/immobilized ETH/BOOTY, 34.99 ETH (~$8,000) and 1271.88 BOOTY belongs to users (~$9,300 total), and the rest belonged to SpankChain."
SpankChain explained that the hacker had exploited a “reentrancy” bug, "much like the one exploited in The DAO", and that the attacker had created "a malicious contract masquerading as an ERC20 token, where the 'transfer' function called back into the payment channel contract multiple times, draining some ETH each time." The company also admitted that it had decided to "forego a security audit for the payment channel contract" because the security audit would have cost them between $30,000 and $50,000.
Then, last night, SpankChain reported on Twitter that CEO Ameen Soleimani had spoken to the hacker on the phone and reached a deal with him/her:
Update on our recent hack: @ameensol spoke with the attacker on the phone, and they sent us the private key with all the funds. We sent them back $5,000 as a reward along with the 5.5 ETH they used as seed capital for the attack.— SpankChain (@SpankChain) October 11, 2018
Congratulations, anonymous haxor!
SpankChain used the following tweet, which contains a link to an Etherscan page showing the transfer of "the hacked ETH" to one of the company's ETH wallets:
Tx transferring the hacked ETH to a company wallet we control:https://t.co/M85ZC1mHMN— SpankChain (@SpankChain) October 11, 2018
What is interesting is that Etherscan shows the amount of ETH received by SpankChain from the hacker was 170.35 rather than 165.38 (which they had originally reported was stolen from them):
SpankChain also tweeted that the hacker had also helped to recover the roughly 4000 BOOTY tokens that had been "immobilized"as a result of the attack:
Update2: The attacker was also able to retrieve the ~4,000 BOOTY that their hack immobilized. We purchased it back from them for $4,000. Thank you anon!— SpankChain (@SpankChain) October 12, 2018
BOOTY reclamation tx: https://t.co/7c9udbnBlI
The SpankChain CEO had this to say about the happy ending to all of this drama:
Operation "Save My Ass" is a success. The stuck BOOTY has been recovered. https://t.co/OpuHPWDXl5— 👹 Ameen Soleimani (@ameensol) October 12, 2018
Featured Image Credit: Photo via Pexels.com