DeFi vulnerability exposes governance token risk as NFT art platform works to restore confidence.
$730,000 Drained from Staking Contract
SuperRare, a well-known platform for NFT art, has suffered a significant security breach after a smart contract vulnerability was exploited, leading to the theft of approximately $730,000 worth of RARE tokens, the platform’s native cryptocurrency.
The exploit specifically targeted an outdated staking contract and did not affect SuperRare’s main platform infrastructure. However, the incident has once again raised concerns about the security of decentralized finance (DeFi) protocols and the robustness of smart contract governance mechanisms.
Coding Flaw in Smart Contract Opens Door to Exploit
The breach was traced to a vulnerability in the updateMerkleRoot function of an old SuperRare staking smart contract. A flaw in the contract’s authorization logic allowed the attacker to manipulate the Merkle root, enabling unauthorized claims of tokens.
Using this exploit, the attacker transferred 11.9 million RARE tokens—worth roughly $730,000—into a personal wallet in a single transaction.
According to on-chain analytics firm Cyvers Alerts, the hacker had funded their wallet using Tornado Cash 186 days prior to the attack, a common tactic used to obscure the origin of funds and evade detection. After lying dormant for months, the attacker launched a front-running contract just one block before executing the exploit, indicating a high level of preparation and technical knowledge.
Main Platform and NFTs Remain Secure
In a statement following the breach, SuperRare confirmed that the incident was isolated to a single staking vault and that no NFTs or trading infrastructure were affected. The platform assured users that all marketplace functions, auctions, and digital artworks remain secure.
Notably, the stolen RARE tokens have not yet been transferred or laundered and continue to sit in the attacker’s wallet. The platform responded swiftly by freezing affected accounts, launching a full investigation, and partnering with cybersecurity experts to assess the damage.
SuperRare also brought in third-party auditors to conduct a broader review of its codebase to prevent similar incidents in the future. As of now, no formal compensation plan or recovery proposal—such as token redistribution or a network fork—has been announced.
Market Reacts with Caution
The exploit sent shockwaves through the token’s trading activity. RARE’s price dipped by 12% shortly after the news broke, reflecting investor uncertainty. Although the token later stabilized around $0.06, the incident has renewed concerns about the vulnerabilities tied to governance tokens and staking mechanisms in the DeFi ecosystem.
Given the limited liquidity of RARE, any attempts to offload the stolen tokens could significantly impact market prices, further complicating recovery efforts.
Challenges Ahead for SuperRare
Once regarded as a premier NFT marketplace, SuperRare has seen a decline in platform activity in recent months. Despite having a lifetime trading volume exceeding $950 million, the platform currently reports fewer than 10 daily users and a daily trading volume of just $16,000, signaling reduced engagement from collectors and creators alike.
As SuperRare navigates the fallout from the exploit, its response and ability to rebuild user trust will be closely watched across the NFT and DeFi communities.
The incident adds to a growing list of smart contract vulnerabilities that continue to pose serious threats to the decentralized finance ecosystem—especially as hackers increasingly target smaller, governance-based projects.
