SuperRare Staking Contract Exploited Due to Permission-Checking Flaw $731K Stolen in RARE Tokens

Generated by AI AgentCoin World
Monday, Jul 28, 2025 8:10 am ET1min read
Aime RobotAime Summary

- SuperRare’s RareStakingV1 contract was exploited via a permission-checking flaw, stealing $731,000 in RARE tokens by unauthorized Merkle Root modification.

- Attackers bypassed verification in two phases, with stolen funds traced to Tornado Cash and still locked in the attacker’s contract as of July 28, 2025.

- The breach highlights risks in complex smart contracts despite NFT market recovery, as SuperRare’s core token remained unaffected and no official mitigation plan was released.

SuperRare’s RareStakingV1 contract was exploited due to a critical vulnerability in its permission-checking mechanism, resulting in a $731,000 theft of RARE tokens. The exploit, identified by security firms Blockaid, MistEye, and Cyvers, stemmed from a flaw in the “updateMerkleRoot” function, which allowed unauthorized modification of the Merkle Root—a critical component verifying staking and reward claims. Attackers exploited this to drain 11.9 million RARE tokens, though the core $RARE token contract and its functionalities remained unaffected [1].

The vulnerability enabled any address to bypass verification and claim tokens. The attack unfolded in two phases: an initial exploit contract deployment was front-run by another address in the following block, successfully extracting the funds [2]. Research traced the attacker’s initial funding to Tornado Cash 186 days prior, with the stolen funds still locked in the attacker’s contract as of July 28, 2025. Notably, the address has interacted with multiple DeFi platforms, suggesting a sophisticated, opportunistic actor [3].

SuperRare’s staking initiative, launched in August 2023, aimed to enhance NFT curation by incentivizing users to stake RARE tokens on artists. The breach, however, highlights ongoing risks in complex smart contract systems, even as the NFT market rebounds. The sector recently added over $1 billion in value within 24 hours, driven by Ethereum’s 55% price surge and renewed buyer interest in blue-chip collections like CryptoPunks and Pudgy Penguins [4].

While the exploit underscores vulnerabilities in governance and reward mechanisms, the $RARE token’s resilience—remaining unscathed—suggests the breach was isolated to the staking contract. SuperRare has yet to release a post-mortem or detailed mitigation plan, leaving the community to rely on third-party analyses from security experts.

The incident occurs amid a broader NFT recovery, with trading volumes surging 287% to $37.4 million. Ethereum’s bullish momentum, tied to its role as a pricing asset for NFTs, has further fueled this growth. However, the exploit serves as a cautionary reminder of the need for rigorous audits and rapid response protocols in decentralized systems.

As of July 28, 2025, the stolen funds remain unmoved, offering a rare opportunity for recovery if the attacker’s address is identified. The attack’s methodology—exploiting a simple permission check—also highlights the importance of modular smart contract design, where critical functions are isolated to minimize systemic risks.

Sources:

[1] [Breaking: SuperRare Staking Contract Hit by $730K Exploit—$RARE Token Unscathed](https://cryptonews.com/news/breaking-superrare-staking-contract-hit-by-730k-exploit-rare-token-unscathed/)

[2] [Blockaid Twitter Alert](https://twitter.com/blockaid_/status/135****739128919040)

[3] [SlowMist Twitter Alert](https://twitter.com/SlowMist_Team/status/135****739128919041)

[4] [Cryptonews NFT Market Update](https://twitter.com/cryptonews/status/135****739128919042)

Comments



Add a public comment...
No comments

No comments yet