Journalist
Hassan Shittu
Journalist
Hassan Shittu
Share
Alert: SuperRare, a platform for digital collectibles, has experienced a security incident. A vulnerability in their RareStakingV1 contract led to the unauthorized withdrawal of 11.9 million RARE tokens.
Crucially, this security lapse did not affect the fundamental $RARE token itself or its essential functions. The compromised RareStakingV1 contract was instrumental in SuperRare’s staking and curation efforts, which were initiated back in August of 2023.
The Rare Protocol’s original purpose was to address challenges related to high-quality NFT curation and the discoverability of artists. Its staking mechanism allowed users to stake $RARE tokens on artists, engage with their Community Pools, and subsequently earn rewards based on the artist’s sales performance.
SuperRare Staking Contract Exploit: Origin in Flawed ‘updateMerkleRoot’ Permissions
Insights from Web3 security specialists Blockaid and the threat intelligence platform MistEye indicate that the “updateMerkleRoot” function within the RareStakingV1 contract was the root cause. The problem lay in a deficient permission check.
The “updateMerkleRoot” function should have been limited in who could alter the Merkle Root. The Merkle Root is the key to validating staking and reward claims. The faulty coding, however, failed to impose this restriction, inadvertently allowing unauthorized parties to make modifications and claim tokens.
Consequently, any digital wallet address could bypass the verification process and illicitly claim tokens.
Blockaid’s analysis reveals a two-stage attack. Initially, the attacker deployed a contract intended to exploit the vulnerability. However, a separate entity identified the pending transaction and executed a “front-running” maneuver, effectively stealing the exploit and draining the funds one block before the original attacker could act. Cyvers confirmed this sequence, tracking the initial attacker’s funding source back to Tornado Cash from approximately six months prior.
Further investigation, however, has suggested the initial attacker may be an “active DeFi farmer,” having engaged with various platforms like Pendle, Uniswap, Odos, Reservoir, and Morpho.
The stolen assets, currently valued at roughly $731,000, remain within the “front-runner’s” contract address. As of now, they have not been moved to exchanges, laundered through mixing services, or otherwise dissipated.
SuperRare has yet to issue a comprehensive public statement outlining the incident’s details and the planned steps for remediation.
First Exploit Following NFT Market’s $1 Billion Resurgence
This security breach occurs as the NFT market is showing indications of a renewed upward trend. Following an extended period of stagnation, the NFT market’s total valuation increased by over $1 billion in a single day, accompanied by a 287% surge in trading volumes, reaching $37.4 million.
This revitalized interest in NFTs is strongly connected to the positive price action of Ethereum. ETH has appreciated by 55% in the last month, briefly reaching $3,814, a level not seen since December of 2024. Because many NFTs are priced using ETH, its rising value has reignited buyer interest and elevated floor prices for many prominent NFT collections.
CryptoPunks and Pudgy Penguins are leading the charge in this market recovery. CryptoPunks experienced a 16% increase in their floor price, reaching 47.5 ETH (approximately $179,000), and generated $14 million in sales within a 24-hour timeframe. Pudgy Penguins closely followed, achieving $5.7 million in daily trading volume and a 15% increase in their floor price.