The NFT marketplace SuperRare’s RareStakingV1 contract was exploited, allowing attackers to drain 11.9M RARE tokens.
Importantly, the vulnerability did not compromise the underlying $RARE token contract or its core functionalities. SuperRare’s exploited RareStakingV1 contract was part of the platform’s staking and curation initiative launched in August 2023.
The Rare Protocol was introduced as a solution to a persistent problem in the NFT space: quality curation and creator discovery. Through its Curation Staking mechanism, participants use the native $RARE token to stake on artists, join their Community Pools, and receive rewards when those artists make sales.
SuperRare Staking Contract Exploit Origin: Faulty Permission Check in updateMerkleRoot
According to the alert from Web3 security firm Blockaid and threat intelligence platform MistEye, the exploit stemmed from a flawed permission check in the “updateMerkleRoot” function within the RareStakingV1 contract.
The function was designed to restrict updates to the Merkle Root, which verifies staking and rewards claims. However, the code failed to enforce this, letting anyone modify the Merkle Root and claim tokens.
As a result, any address could pass verification and make unauthorized claims.
Blockaid reported that the exploit unfolded in two steps: first, the attacker deployed an exploit contract. Before the attacker could execute their exploit, another address observed the pending transaction and front-ran it in the following block, successfully draining the funds. Cyvers confirmed this front-running event and traced the original attacker’s funding to Tornado Cash about 186 days earlier.
However, further research revealed that the attacker might be “an active DeFi farmer,” as the address has interacted with several platforms, including Pendle, Uniswap, Odos, Reservoir, and Morpho.
Notably, the funds, valued at approximately $731,000, remain in the attacker’s contract and have not been moved or laundered through exchanges or mixing services.
As of now, SuperRare has not released a post-mortem or detailed remediation plan.
First Exploit After NFT Market Roars Back with $1B Revival
This exploit comes as the NFT sector begins to show signs of resurgence. After a long market slump, the NFT space added over $1 billion in value in just 24 hours, with trading volumes soaring 287% to $37.4 million.
This resurgence is closely tied to Ethereum’s ongoing rally, with ETH gaining 55% over the past month and momentarily hitting $3,814, its highest price since December 2024. Because many NFTs are priced in ETH, its bullish momentum has revitalized buyer interest and driven up floor prices across top collections.
CryptoPunks and Pudgy Penguins have emerged as frontrunners in this recovery. CryptoPunks saw a 16% rise in floor price to 47.5 ETH (approximately $179,000), generating $14 million in sales over 24 hours. Pudgy Penguins followed closely, pulling in $5.7 million in daily trading volume and a 15% increase in floor price.
The post Breaking: SuperRare Staking Contract Hit by $730K Exploit—$RARE Token Unscathed appeared first on Cryptonews.
