Incident Overview
In a troubling incident within the NFT landscape, SuperRare’s RareStakingV1 contract was breached, leading to the unauthorized withdrawal of 11.9 million RARE tokens. Fortunately, the core $RARE token contract remained intact and unaffected by this breach, which involved issues with functionality rather than a direct attack on the token itself. The RareStakingV1 contract is part of SuperRare’s initiative for staking and artist curation, introduced in August 2023, aimed at enhancing quality curation and aiding artists in gaining visibility within the competitive NFT market.
Vulnerability Details
The vulnerability, as detailed by Web3 security analysts from Blockaid and the intelligence service MistEye, originated due to a faulty permission validation in the function called “updateMerkleRoot”. This function governs updates to the Merkle Root, which is crucial for confirming the legitimacy of staking and rewards claims. Unfortunately, this safeguard was incorrectly implemented, permitting any user to modify the Merkle Root and falsely claim tokens.
Exploit Execution
The exploit occurred in two phases: the perpetrator first launched an exploit contract. However, before they could finalize their attack, a different address identified the pending transaction and executed a front-running tactic in the subsequent block, resulting in a successful fund drain. Analysis by Cyvers has connected the original attacker’s funds to Tornado Cash from around 186 days prior, indicating their potential involvement in decentralized finance activities.
Current Status
Despite extensive investigations, it appears that the stolen wealth, estimated at around $731,000, remains untouched within the attacker’s wallet and has not been laundered through any exchanges or mixing platforms. Currently, SuperRare has not issued a detailed post-exploit assessment or recovery strategy.
NFT Market Context
This incident unfolds at a time when NFTs are experiencing a significant revitalization, with the market recently gaining more than $1 billion in value in just one day. Trading volume surged by 287%, reaching $37.4 million. This resurgence is largely fueled by Ethereum’s price surge, with ETH climbing 55% in the last month, temporarily reaching $3,814, its highest level since December 2024. Many NFTs are priced in ETH, thus the bullish trends in Ethereum are driving renewed investor interest and increasing floor prices across various major collections.
Notable NFT Performance
CryptoPunks, for instance, recorded a 16% rise in floor price to 47.5 ETH (around $179,000) and generated $14 million in 24-hour sales. Pudgy Penguins also saw a robust performance, with a trading volume of $5.7 million and a 15% rise in floor price. Overall, this exploit serves as a stark reminder of the vulnerabilities still present within the rapidly evolving NFT ecosystem.
