SuperRare’s staking contract suffered a $730,000 exploit, with a hacker draining funds after compromising an old private key. The attack, which affected the digital art marketplace’s staking mechanism, did not impact the $RARE token or the platform’s core smart contracts.
The RareStakingV1 contract of the NFT marketplace SuperRare was exploited, enabling assailants to deplete 11.9M RARE tokens.
Additionally, it is crucial to note that the vulnerability did not affect the fundamental functionality of the $RARE token contract. SuperRare’s staking and curation initiative, which was initiated in August 2023, included exploiting the RareStakingV1 contract.
A remedy to a persistent issue in the NFT space, quality curation and creator discovery, was introduced through the Rare Protocol. Participants utilize the native $RARE token to stake on artists, join their Community Pools, and receive rewards when those artists make sales through the Curation Staking mechanism.
SuperRare Staking Contract Exploit Origin: Faulty Permission Check-in update MerkleRoot
The exploit resulted from a defective permission check in the “updateMerkleRoot” function of the RareStakingV1 contract, as indicated by the alert from Web3 security firm Blockaid and threat intelligence platform MistEye.
The function was intended to limit updates to the Merkle Root, which certifies staking and rewards claims. Nevertheless, the code could not enforce this, allowing anyone to modify the Merkle Root and claim tokens.
Consequently, any address could pass verification and submit unauthorized claims.
Blockaid reported that the exploit occurred in two stages: initially, the perpetrator deployed an exploit contract. Before the attacker could implement their exploit, another address observed the pending transaction and front-ran it in the subsequent block, thereby successfully draining the funds. Cyvers verified this event as a frontrunner and traced the original attacker’s funding to Tornado Cash approximately 186 days prior.
Nevertheless, additional investigation indicated that the perpetrator may be an “active DeFi farmer,” as the address has interacted with various platforms, such as Pendle, Uniswap, Odos, Reservoir, and Morpho.
It is important to note that the funds, which are estimated to be worth $731,000, are still in the attacker’s contract and have not been transferred or laundered through exchanges or blending services.
Currently, SuperRare has not revealed a comprehensive remediation plan or post-mortem.
First Exploit Following the $1B Revival of the NFT Market
This exploit occurs when the NFT sector begins exhibiting evidence of resurgence. Trading volumes increased by 287% to $37.4 million, and the NFT space added more than $1 billion in value in just 24 hours, following a prolonged market downturn.
The ongoing rally of Ethereum is closely associated with this resurgence, as ETH has experienced a 55% increase in the past month and has recently reached its most excellent price of $3,814, which was last achieved in December 2024. The bullish trajectory of ETH has revived buyer interest and driven up floor prices across top collections, as many NFTs are priced in this currency.
CryptoPunks and Pudgy Penguins have emerged as the frontrunners in this recovery. The floor price of CryptoPunks increased by 16% to 47.5 ETH (approximately $179,000), resulting in a $14 million increase in sales within 24 hours. Pudgy Penguins followed closely, generating $5.7 million in daily trading volume and a 15% increase in floor price.
