SuperRare’s Staking Contract Exploited for $730K Due to Critical Vulnerability

Generated by AI AgentCoin World
Monday, Jul 28, 2025 8:10 am ET1min read
Aime RobotAime Summary

- SuperRare’s RareStakingV1 contract was exploited for $730,000 due to a critical vulnerability in its Merkle Root permission checks, enabling unauthorized token drainage.

- Attackers executed a two-phase front-running exploit, bypassing verification to claim staking rewards, with stolen funds traced to Tornado Cash but remaining unmoved.

- Despite the breach, core $RARE token functions remained intact, though SuperRare faces scrutiny for delayed transparency and governance gaps in smart contract security.

- The incident highlights DeFi/NFT risks amid a $1B NFT market rebound, as Ethereum’s price surge fueled renewed interest in high-value ETH-denominated collections.

SuperRare’s RareStakingV1 contract suffered a $730,000 exploit due to a critical vulnerability in its permission check mechanism, allowing unauthorized actors to manipulate the Merkle Root and drain 11.9 million RARE tokens. The flaw, identified in the updateMerkleRoot function, left the staking system open to front-running attacks, where a third party executed the exploit ahead of the original attacker’s contract [1]. Despite the breach, the core $RARE token and its functionalities remained unaffected, as the exploit targeted only the staking infrastructure [2].

The vulnerability enabled any address to bypass verification checks and claim staking rewards, according to reports from security firms Blockaid and SlowMist [3]. The attack unfolded in two phases: an initial exploit contract deployment, followed by a front-runner executing the theft in the subsequent block. Cyvers confirmed the front-running event and traced the attacker’s funds to Tornado Cash transactions dating 186 days prior [4]. Notably, the stolen tokens—valued at $730,000—remain in the attacker’s contract, with no evidence of movement or laundering via exchanges [5].

SuperRare has yet to release a detailed post-mortem or remediation plan, raising questions about transparency and governance in its smart contract development process. The incident occurred amid a broader NFT market rebound, with the sector adding $1 billion in value within 24 hours and trading volumes surging 287% to $37.4 million [6]. Ethereum’s price rally, which reached $3,814, further fueled buyer interest in ETH-denominated NFTs, as blue-chip collections like CryptoPunks and Pudgy Penguins saw significant price gains [7].

The exploit highlights persistent risks in decentralized finance (DeFi) and NFT ecosystems, where smart contract vulnerabilities often lead to rapid capital losses. The attacker’s address, linked to multiple DeFi platforms including Pendle and Uniswap, suggests a sophisticated actor leveraging cross-protocol interactions [8]. Analysts emphasize that such incidents underscore the need for rigorous security audits and decentralized governance mechanisms to mitigate future breaches.

As the NFT market continues its recovery, SuperRare’s vulnerability serves as a cautionary tale for projects prioritizing scalability over robust security protocols. The absence of a timely response from the platform has also drawn scrutiny, with stakeholders urging clearer communication strategies during crises.

Source: [1] [title1] [url1]

[2] [title2] [url2]

[3] [title3] [url3]

[4] [title4] [url4]

[5] [title5] [url5]

[6] [title6] [url6]

[7] [title7] [url7]

[8] [title8] [url8]

Comments



Add a public comment...
No comments

No comments yet