🚨 Exclusive: SuperRare Staking Contract Drained in $730K Hack—$RARE Token Emerges Unharmed
Another day, another crypto exploit—but this one comes with a twist. The SuperRare staking contract just got pillaged for $730K, yet its native $RARE token somehow dodged the bullet. Talk about selective theft.
How’d it happen? The usual suspects: a smart contract loophole, rushed code, or maybe just another 'trust us, we’re decentralized' moment. Meanwhile, $RARE holders are breathing sighs of relief—their bags are intact, even if the platform’s credibility took a hit.
Finance jab of the day: If this were TradFi, there’d be lawsuits. In crypto? Just another Tuesday. Onward to the next exploit.
SuperRare Staking Contract Exploit Origin: Faulty Permission Check in updateMerkleRoot
According to the alert from Web3 security firm Blockaid and threat intelligence platform MistEye, the exploit stemmed from a flawed permission check in the “updateMerkleRoot” function within the RareStakingV1 contract.
Our real-time exploit detection systems had identified malicious transactions targeting one of the staking contracts used by @SuperRare
The attacker had deployed an exploit contract – but the actual attack was performed by a frontrunner one block later.
Updates in
pic.twitter.com/WzqePDzbhJ
The function was designed to restrict updates to the Merkle Root, which verifies staking and rewards claims. However, the code failed to enforce this, letting anyone modify the Merkle Root and claim tokens.
SlowMist TI Alert
MistEye detected that @SuperRare has been exploited. The root cause for this exploit was an incorrect permission check in the updateMerkleRoot function, allowing anyone to modify the Merkle Root and claim tokens.
As always, stay vigilant!… pic.twitter.com/n5J0o6hqgq
As a result, any address could pass verification and make unauthorized claims.
Blockaid reported that the exploit unfolded in two steps: first, the attacker deployed an exploit contract. Before the attacker could execute their exploit, another address observed the pending transaction and front-ran it in the following block, successfully draining the funds. Cyvers confirmed this front-running event and traced the original attacker’s funding to Tornado Cash about 186 days earlier.
ALERTOur system has detected a malicious transaction targeting a @SuperRare staking contract.
The attacker’s address, funded via @TornadoCash approximately 186 days ago, executed the exploit and gained 731K worth of $RARE.
The stolen funds currently remain in the attacker’s… pic.twitter.com/9CZ6IG4b4B
However, further research revealed that the attacker might be “an active DeFi farmer,” as the address has interacted with several platforms, including Pendle, Uniswap, Odos, Reservoir, and Morpho.
Notably, the funds, valued at approximately $731,000, remain in the attacker’s contract and have not been moved or laundered through exchanges or mixing services.
As of now, SuperRare has not released a post-mortem or detailed remediation plan.
First Exploit After NFT Market Roars Back with $1B Revival
This exploit comes as the NFT sector begins to show signs of resurgence. After a long market slump, the NFT space added over $1 billion in value in just 24 hours, with trading volumes soaring 287% to $37.4 million.
NFT market cap surges 94% to $6.6 billion in July as CryptoPunk sells for $5 million with blue-chip collections driving 40% price jump.#NFTs #Tradinghttps://t.co/e7qERHc30M
This resurgence is closely tied to Ethereum’s ongoing rally, with ETH gaining 55% over the past month and momentarily hitting $3,814, its highest price since December 2024. Because many NFTs are priced in ETH, its bullish momentum has revitalized buyer interest and driven up floor prices across top collections.
CryptoPunks and Pudgy Penguins have emerged as frontrunners in this recovery. CryptoPunks saw a 16% rise in floor price to 47.5 ETH (approximately $179,000), generating $14 million in sales over 24 hours. Pudgy Penguins followed closely, pulling in $5.7 million in daily trading volume and a 15% increase in floor price.
