All posts in “smart contract”

SpankChain spanked

SpankChain, a cryptocurrency aimed at decentralized sex cams, has announced that a hacker stole about $38,000 from their payment channel thanks to a broken smart contract. They wrote:

At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which also resulted in $4,000 worth of BOOTY on the contract becoming immobilized. Of the stolen/immobilized ETH/BOOTY, 34.99 ETH (~$8,000) and 1271.88 BOOTY belongs to users (~$9,300 total), and the rest belonged to SpankChain.

Our immediate priority has been to provide complete reimbursements to all users who lost funds. We are preparing an ETH airdrop to cover all $9,300 worth of ETH and BOOTY that belonged to users. Funds will be sent directly to users’ SpankPay accounts, and will be available as soon as we reboot Spank.Live.

The hacker used a ‘reentrancy’ bug in which the user calls the same transfer multiple times, draining a little Ethereum each time. The bug is the same one that previously affected the DAO.

The company pointed out that a security audit on their smart contract would have cost $50,000, a bit more than the amount lost. “As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit,” they wrote.

I’ve reached out to the company for clarification but in short it seems the spanker has become the spankee.

Sagewise pitches a service to verify claims and arbitrate disputes over blockchain transactions

Sometimes smart contracts can be pretty dumb.

All of the benefits of a cryptographically secured, publicly verified, anonymized transaction system can be erased by errant code, malicious actors or poorly defined parameters of an executable agreement.

Hoping to beat back the tide of bad contracts, bad code and bad actors, Sagewise, a new Los Angeles-based startup, has raised $1.25 million to bring to market a service that basically hits pause on the execution of a contract so it can be arbitrated in the event that something goes wrong.

Co-founded by a longtime lawyer, Amy Wan, whose experience runs the gamut from the U.S. Department of Commerce to serving as counsel for a peer-to-peer real estate investment platform in Los Angeles, and Dan Rice, a longtime entrepreneur working with blockchain, Sagewise works with both Ethereum and the Hedera Hashgraph (a newer distributed ledger technology, which purports to solve some of the issues around transaction processing speed and security which have bedeviled platforms like Ethereum and Bitcoin).

The company’s technology works as a middleware, including an SDK and a contract notification and monitoring service. “The SDK is analogous to an arbitration clause in code form — when the smart contract executes a function, that execution is delayed for a pre-set amount of time (i.e. 24 hours) and users receive a text/email notification regarding the execution,” Wan wrote to me in an email. “If the execution is not the intent of the parties, they can freeze execution of the smart contract, giving them the luxury of time to fix whatever is wrong.”

Sagewise approaches the contract resolution process as a marketplace where priority is given to larger deals. “Once frozen, parties can fix coding bugs, patch up security vulnerabilities, or amend/terminate the smart contract, or self-resolve a dispute. If a dispute cannot be self-resolved, parties then graduate to a dispute resolution marketplace of third party vendors,” Wan writes. “After all, a $5 bar bet would be resolved differently from a $5M enterprise dispute. Thus, we are dispute process agnostic.”

Wavemaker Genesis led the round, which also included strategic investments from affiliates of Ari Paul (Blocktower Capital), Miko Matsumura (Gumi Cryptos), Youbi Capital, Maja Vujinovic (Cipher Principles), Jordan Clifford (Scalar Capital), Terrence Yang (Yang Ventures) and James Sowers.

“Smart contracts are coded by developers and audited by security auditing firms, but the quality of smart contract coding and auditing varies drastically among service providers,” said Wan, the chief executive of Sagewise, in a statement. “Inevitably, this discrepancy becomes the basis for smart contract disputes, which is where Sagewise steps in to provide the infrastructure that allows the blockchain and smart contract industry to achieve transactional confidence.”

In an email, Wan elaborated on the thesis to me, writing that, “smart contracts may have coding errors, security vulnerabilities, or parties may need to amend or terminate their smart contracts due to changing situations.”

Contracts could also be disputed if their execution was triggered accidentally or due to the actions of attackers trying to hack a platform.

“Sagewise seeks to bring transactional confidence into the blockchain industry by building a smart contract safety net where smart contracts do not fulfill the original transactional intent,” Wan wrote.