On July 28, 2025, the SuperRare platform suffered a major technical hack where hackers stole an estimated $730,000 worth of RARE tokens from one of the smart contracts of the staking platform.
🛠️ How did the hack happen?
The attacker targeted a contract named RareStakingV1, which is part of the Staking system launched by SuperRare in August 2023 to contribute to artist selection and reward users with RARE tokens.
A bug was found in the updateMerkleRoot function within the contract, where the permission check was flawed, allowing any address to redefine the Merkle root and exploit it to withdraw tokens.
---
🧠 The surprise: The original hacker did not get the money!
In an unexpected turn, another attacker performed a front-running incident:
The first attacker wrote a contract that exploited the vulnerability, but a second attacker sent a copy of the same transaction at a higher speed (with higher gas fees) and it was confirmed first through the blockchain.
This discussion among the hackers led to the money reaching the second address, not from the one who wrote the contract first.
---
💰 Technical results
Element Details
Amount of tokens 11.9 million RARE tokens
Value in dollars Approximately $730,000 at the time of the hack
What was affected The token contract (RARE token contract) was not affected, only the staking contract was hacked.
Funds status The tokens have not been transferred or mixed using Tornado Cash after the operation, and the hacked address still holds them.
---
🔎 What do we take away from this hack?
1. The importance of thorough verification of smart contract permissions
A small mistake in update permissions is enough to open major vulnerabilities.
2. The risk of front-running attacks within the blockchain
Not only should we monitor authenticated users, but even the hackers themselves may face the risk of being preempted in execution.
3. Transparency and lack of privacy in the blockchain
Contracts and activities are public, and funding can be tracked through mixers like Tornado Cash, and in this incident, the funding was present for about 186 days before the attack.
---
🧩 The current situation and implications
SuperRare has not yet issued a detailed official statement regarding corrective actions or potential compensations.
The affected smart contracts are limited, and the NFT market itself was not hacked or artworks stolen.
The market prices of RARE tokens may experience fluctuations or selling pressure, but the original token contract is unaffected.
---
✅ Summary
On July 28, 2025, $730,000 worth of RARE tokens were stolen through a vulnerability in the Staking Smart Contract.
The attack turned out to be a conflict between the original hacker and another who stole it via front-running.
The core token was not harmed, but trust in the Staking system was damaged.
The most important lesson: Thorough verification of user permissions in smart contracts is essential, and the risk of front-running exists even among the hackers themselves.