The NFT marketplace SuperRare’s RareStakingV1 contract was exploited, allowing attackers to drain 11.9M RARE tokens. Importantly, the vulnerability did not compromise the underlying $RARE token contract or its core functionalities. SuperRare’s exploited RareStakingV1 contract was part of the platform’s staking and curation initiative launched in August 2023. The Rare Protocol was introduced as a solution to a persistent problem in the NFT space: quality curation and creator discovery. Through its Curation Staking mechanism, participants use the native $RARE token to stake on artists, join their Community Pools, and receive rewards when those artists make sales. SuperRare Staking Contract Exploit Origin: Faulty Permission Check in updateMerkleRoot According to the alert from Web3 security firm Blockaid and threat intelligence platform MistEye, the exploit stemmed from a flawed permission check in the “updateMerkleRoot” function within the RareStakingV1 contract. Our real-time exploit detection systems had identified malicious transactions targeting one of the staking contracts used by @SuperRare The attacker had deployed an exploit contract – but the actual attack was performed by a frontrunner one block later. Updates in pic.twitter.com/WzqePDzbhJ — Blockaid (@blockaid_) July 28, 2025 The function was designed to restrict updates to the Merkle Root, which verifies staking and rewards claims. However, the code failed to enforce this, letting anyone modify the Merkle Root and claim tokens. SlowMist TI Alert MistEye detected that @SuperRare has been exploited. The root cause for this exploit was an incorrect permission check in the updateMerkleRoot function, allowing anyone to modify the Merkle Root and claim tokens. As always, stay vigilant!… pic.twitter.com/n5J0o6hqgq — SlowMist (@SlowMist_Team) July 28, 2025 As a result, any address could pass verification and make unauthorized claims. Blockaid reported that the exploit unfolded in two steps: first, the attacker deployed an exploit contract. Before the attacker could execute their exploit, another address observed the pending transaction and front-ran it in the following block, successfully draining the funds. Cyvers confirmed this front-running event and traced the original attacker’s funding to Tornado Cash about 186 days earlier. ALERT Our system has detected a malicious transaction targeting a @SuperRare staking contract. The attacker’s address, funded via @TornadoCash approximately 186 days ago, executed the exploit and gained 731K worth of $RARE . The stolen funds currently remain in the attacker’s… pic.twitter.com/9CZ6IG4b4B — Cyvers Alerts (@CyversAlerts) July 28, 2025 However, further research revealed that the attacker might be “an active DeFi farmer,” as the address has interacted with several platforms, including Pendle, Uniswap, Odos, Reservoir, and Morpho. Notably, the funds, valued at approximately $731,000, remain in the attacker’s contract and have not been moved or laundered through exchanges or mixing services. As of now, SuperRare has not released a post-mortem or detailed remediation plan. First Exploit After NFT Market Roars Back with $1B Revival This exploit comes as the NFT sector begins to show signs of resurgence. After a long market slump, the NFT space added over $1 billion in value in just 24 hours, with trading volumes soaring 287% to $37.4 million. NFT market cap surges 94% to $6.6 billion in July as CryptoPunk sells for $5 million with blue-chip collections driving 40% price jump. #NFTs #Trading https://t.co/e7qERHc30M — Cryptonews.com (@cryptonews) July 25, 2025 This resurgence is closely tied to Ethereum’s ongoing rally, with ETH gaining 55% over the past month and momentarily hitting $3,814, its highest price since December 2024. Because many NFTs are priced in ETH, its bullish momentum has revitalized buyer interest and driven up floor prices across top collections. CryptoPunks and Pudgy Penguins have emerged as frontrunners in this recovery. CryptoPunks saw a 16% rise in floor price to 47.5 ETH (approximately $179,000), generating $14 million in sales over 24 hours. Pudgy Penguins followed closely, pulling in $5.7 million in daily trading volume and a 15% increase in floor price. The post Breaking: SuperRare Staking Contract Hit by $730K Exploit—$RARE Token Unscathed appeared first on Cryptonews .
