Jul 2025 - SuperRare updateMerkleRoot Backwards Permission Check Logic - $730k (Global)
SuperRare is a pioneering digital art marketplace and gallery that specializes in one-of-one crypto artworks. Launched in 2018, it offers a curated platform where artists mint, exhibit, and sell NFTs (non-fungible tokens) directly to collectors. Unlike open marketplaces with mass uploads, SuperRare takes a high-end, gallery-style approach, emphasizing quality, originality, and digital scarcity. Each artwork is tokenized on the Ethereum blockchain, ensuring transparent ownership, provenance, and resale royalties for artists.
The platform distinguishes itself by fostering a strong community of collectors and creators through artist onboarding, editorial features, and physical exhibitions. It also integrates social features like profiles, bidding, and commenting to encourage collector-artist interactions. SuperRare recently launched SuperRare Spaces—independently curated storefronts that bring decentralized governance into the platform. These Spaces are selected and managed by community members who propose exhibitions, onboard artists, and earn a portion of sales, aligning with the DAO’s long-term vision.
Governance and development of SuperRare are overseen by RareDAO, a decentralized autonomous organization powered by the $RARE token. Holders of $RARE can participate in protocol decisions, manage treasury funds, and vote on key initiatives, including Space proposals. With notable partners like Sotheby’s and artists such as XCOPY and Beeple commanding multimillion-dollar sales, SuperRare remains at the forefront of the crypto art movement, merging high-end digital art with decentralized technology.
Unfortunately, the SuperRare staking contract (RareStakingV1) on Ethereum contained a critical flaw in its access control logic, specifically in the updateMerkleRoot function. This function was meant to be restricted to trusted parties—such as the contract owner or a specific privileged address—to securely update the Merkle root that determines reward eligibility. However, due to a logic inversion in the permission check, the contract accidentally allowed all addresses except the intended privileged ones to call the function.
A misconfiguration meant that any unauthorized user could submit a new, forged Merkle root and effectively claim staking rewards meant for legitimate users. By exploiting this, an attacker was able to generate a fraudulent distribution tree and drain approximately $730,000 worth of $RARE tokens. The exploit was further complicated by a frontrunning incident: although the attacker deployed an exploit contract, a separate address executed the actual draining transaction one block later, potentially using MEV strategies.
The exploit was the result of a critical flaw in the access control logic of the updateMerkleRoot function. This function, intended to be used only by authorized accounts (like the contract owner or a specific privileged address), contained an inverted permission check. Instead of verifying that only privileged users could call it, the logic was mistakenly written to exclude those privileged users—allowing anyone else to update the Merkle root. This effectively opened the door for any attacker to forge distribution roots and drain funds meant for legitimate stakers.
Using this vulnerability, the attacker submitted a fake Merkle root, allowing them to claim reward tokens they weren’t entitled to. The attacker deployed an exploit contract to facilitate the claim, but notably, the actual draining transaction was frontrun by another address one block later—indicating the presence of a MEV (Miner Extractable Value) bot or a separate opportunistic actor. The stolen funds, totaling 11.9 million $RARE ($730K USD), remain in the attacker's contract and have not yet been swapped or laundered.
Analysis shows the attacker’s address was funded via Tornado Cash approximately 186 days prior, suggesting premeditation and an attempt to anonymize the funding trail. This exploit underscores the importance of proper require statement logic in Solidity smart contracts, especially in access control functions. A simple correction—such as enforcing require(msg.sender == owner() || msg.sender == 0xc2F3...8ddc)—could have prevented this attack entirely. The event highlights how small errors in permission checks can lead to large financial losses in decentralized protocols.
Transactions:
0xf5b6531ead5023568b5063b131068a6dd4d8c9eac66a51666982d99af1a0d520
Attacker:
0x5B9B4B4DaFbCfCEEa7aFbA56958fcBB37d82D4a2
Victim Contract (SuperRare RareStaking V1):
0xfFB512B9176D527C5D32189c3e310Ed4aB2Bb9eC
CertiK reports the loss as "11.9M RARE tokens (~$730K)". PeckShield and Blockaid also report $730k.
Cyvers has a screenshot showing the loss total as $731,809.68.
SupLabsYi reports a lower loss amount of $710k.
Multiple third parties have reported on the exploit transaction. The exploit does not appear to have been publicly acknowledged by the SuperRare team.
The incident does not appear to have been acknowledged by the SuperRare team on their website or social media.
There is no indication that any recovery is underway.
It is unclear what kind of investigation and recovery may be underway.
Further Analysis
SuperRare, a high-end digital art marketplace known for its curated one-of-one crypto artworks and artist-centric community, recently suffered a critical exploit in its RareStakingV1 smart contract. A flaw in the access control logic of the updateMerkleRoot function allowed unauthorized users—excluding only the intended privileged addresses—to update staking reward eligibility. This oversight enabled an attacker to submit a forged Merkle root and claim roughly 11.9 million $RARE tokens (~$730K). A frontrunning incident followed, likely involving MEV strategies. The attacker’s address had been funded via Tornado Cash months prior, suggesting premeditation. Despite widespread third-party reporting, SuperRare has not publicly acknowledged the breach, and no recovery efforts have been disclosed. The incident underscores how a minor code logic error in decentralized protocols can lead to substantial financial loss.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Credix Compromised Admin Key Insider Exploit Rug Pull > > < < imToken Third Party Selling Pre-Initialized Secure Cold Wallet
Sources/Further Reading
SlowMist - "MistEye detected that @SuperRare has been exploited. The root cause for this exploit was an incorrect permission check in the updateMerkleRoot function, allowing anyone to modify the Merkle Root and claim tokens." - Twitter/X (Dec 31)
Exploiter Address - Etherscan (Dec 31)
Agent Lisa (AI) - "A severe vulnerability has been detected in the updateMerkleRoot function of certain smart contracts, allowing anyone to modify the Merkle root. This flaw can lead to fraudulent claims and the drainage of contract funds." - Twitter/X (Dec 31)
SolidityScan - "On 28th July, 2025, SuperRare's (@SuperRare) RareStakingV1 contract was hacked, losing ~$730K USD (~11.9M $RARE) due to a flawed access control in updateMerkleRoot() function's require check." - Twitter/X (Dec 31)
BlockscopeCo - "A critical access control flaw in @SuperRare’s contract allowed an exploiter to update the Merkle root without authorization. By submitting a fake root, the exploiter claimed and drained ~$720K in $RARE tokens intended for genuine recipients." - Twitter/X (Dec 31)
MetaTrustAlert - "@SuperRare on #Ethereum was attacked with a loss of $730k due to the incorrect access control in `updateMerkleRoot` allows unauthorized users to update the merkle root." - Twitter/X (Dec 31)
CertiKAlert - "The attacker updated the MerkleRoot then claimed 11.9M RARE tokens (~$730K)." - Twitter/X (Dec 31)
CyversAlerts - "The attacker’s address, funded via @TornadoCash approximately 186 days ago, executed the exploit and gained 731K worth of $RARE." - Twitter/X (Dec 31)
Phalcon_xyz - "@SuperRare (Dec 31)
’s staking contract (v1) on #Ethereum was exploited, with the root cause traced to a flawed updateMerkleRoot function—key validation checks were incorrectly inverted. As a result, instead of restricting updates to privileged accounts (e.g., the owner), any account (except those privileged ones) could perform the update..." - Twitter/X (Dec 31)
PeckShieldAlert - "@SuperRare has been exploited, losing ~$730K worth of $RARE" - Twitter/X (Dec 31)
SuplabsYi - "@SuperRare (Dec 31)
was hacked for $710,000. The root cause of this SuperRare staking exploit? A brain-dead permission check that only lets non-owners and non-specific accounts update the Merkle Root. Seriously, who wrote this? Should’ve been a tight require(msg.sender == owner() msg.sender == 0xc2F3...8ddc), but nope—wide open for anyone to drain the pool with a forged Merkle Root." - Twitter/X (Dec 31)
BlockAid - "The attacker had deployed an exploit contract - but the actual attack was performed by a frontrunner one block later." - Twitter/X (Dec 31)
SuperRare Twitter/X Account (Dec 31)
SuperRare Official Homepage (Dec 31)
SuperRare DAO Overview (Dec 31)
About $RARE and Governance (Dec 31)
Artist Onboarding & Curation (Dec 31)
Hacker hits SuperRare NFT platform for $730K in RARE tokens exploit - MiTrade (Dec 31)
SuperRare $730,000 exploit was easily preventable — Experts weigh in - CoinTelegraph (Dec 31)
$731,000 stolen in SuperRare hack - Web3IsGoingGreat (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|