Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$730 000 USD

JULY 2025

GLOBAL

SUPERRARE

DESCRIPTION OF EVENTS

SuperRare is a pioneering digital art marketplace and gallery that specializes in one-of-one crypto artworks. Launched in 2018, it offers a curated platform where artists mint, exhibit, and sell NFTs (non-fungible tokens) directly to collectors. Unlike open marketplaces with mass uploads, SuperRare takes a high-end, gallery-style approach, emphasizing quality, originality, and digital scarcity. Each artwork is tokenized on the Ethereum blockchain, ensuring transparent ownership, provenance, and resale royalties for artists.

 

The platform distinguishes itself by fostering a strong community of collectors and creators through artist onboarding, editorial features, and physical exhibitions. It also integrates social features like profiles, bidding, and commenting to encourage collector-artist interactions. SuperRare recently launched SuperRare Spaces—independently curated storefronts that bring decentralized governance into the platform. These Spaces are selected and managed by community members who propose exhibitions, onboard artists, and earn a portion of sales, aligning with the DAO’s long-term vision.

 

Governance and development of SuperRare are overseen by RareDAO, a decentralized autonomous organization powered by the $RARE token. Holders of $RARE can participate in protocol decisions, manage treasury funds, and vote on key initiatives, including Space proposals. With notable partners like Sotheby’s and artists such as XCOPY and Beeple commanding multimillion-dollar sales, SuperRare remains at the forefront of the crypto art movement, merging high-end digital art with decentralized technology.

 

Unfortunately, the SuperRare staking contract (RareStakingV1) on Ethereum contained a critical flaw in its access control logic, specifically in the updateMerkleRoot function. This function was meant to be restricted to trusted parties—such as the contract owner or a specific privileged address—to securely update the Merkle root that determines reward eligibility. However, due to a logic inversion in the permission check, the contract accidentally allowed all addresses except the intended privileged ones to call the function.

 

A misconfiguration meant that any unauthorized user could submit a new, forged Merkle root and effectively claim staking rewards meant for legitimate users. By exploiting this, an attacker was able to generate a fraudulent distribution tree and drain approximately $730,000 worth of $RARE tokens. The exploit was further complicated by a frontrunning incident: although the attacker deployed an exploit contract, a separate address executed the actual draining transaction one block later, potentially using MEV strategies.

 

The exploit was the result of a critical flaw in the access control logic of the updateMerkleRoot function. This function, intended to be used only by authorized accounts (like the contract owner or a specific privileged address), contained an inverted permission check. Instead of verifying that only privileged users could call it, the logic was mistakenly written to exclude those privileged users—allowing anyone else to update the Merkle root. This effectively opened the door for any attacker to forge distribution roots and drain funds meant for legitimate stakers.

 

Using this vulnerability, the attacker submitted a fake Merkle root, allowing them to claim reward tokens they weren’t entitled to. The attacker deployed an exploit contract to facilitate the claim, but notably, the actual draining transaction was frontrun by another address one block later—indicating the presence of a MEV (Miner Extractable Value) bot or a separate opportunistic actor. The stolen funds, totaling 11.9 million $RARE ($730K USD), remain in the attacker's contract and have not yet been swapped or laundered.

 

Analysis shows the attacker’s address was funded via Tornado Cash approximately 186 days prior, suggesting premeditation and an attempt to anonymize the funding trail. This exploit underscores the importance of proper require statement logic in Solidity smart contracts, especially in access control functions. A simple correction—such as enforcing require(msg.sender == owner() || msg.sender == 0xc2F3...8ddc)—could have prevented this attack entirely. The event highlights how small errors in permission checks can lead to large financial losses in decentralized protocols.

 

Transactions: 0xf5b6531ead5023568b5063b131068a6dd4d8c9eac66a51666982d99af1a0d520

 

Attacker: 0x5B9B4B4DaFbCfCEEa7aFbA56958fcBB37d82D4a2

 

Victim Contract (SuperRare RareStaking V1): 0xfFB512B9176D527C5D32189c3e310Ed4aB2Bb9eC

 

CertiK reports the loss as "11.9M RARE tokens (~$730K)". PeckShield and Blockaid also report $730k.

 

Cyvers has a screenshot showing the loss total as $731,809.68.

 

SupLabsYi reports a lower loss amount of $710k.

 

Multiple third parties have reported on the exploit transaction. The exploit does not appear to have been publicly acknowledged by the SuperRare team.

 

The incident does not appear to have been acknowledged by the SuperRare team on their website or social media.

 

There is no indication that any recovery is underway.

 

It is unclear what kind of investigation and recovery may be underway.

 

Explore This Case Further On Our Wiki

SuperRare, a high-end digital art marketplace known for its curated one-of-one crypto artworks and artist-centric community, recently suffered a critical exploit in its RareStakingV1 smart contract. A flaw in the access control logic of the updateMerkleRoot function allowed unauthorized users—excluding only the intended privileged addresses—to update staking reward eligibility. This oversight enabled an attacker to submit a forged Merkle root and claim roughly 11.9 million $RARE tokens (~$730K). A frontrunning incident followed, likely involving MEV strategies. The attacker’s address had been funded via Tornado Cash months prior, suggesting premeditation. Despite widespread third-party reporting, SuperRare has not publicly acknowledged the breach, and no recovery efforts have been disclosed. The incident underscores how a minor code logic error in decentralized protocols can lead to substantial financial loss.

SlowMist - "MistEye detected that @SuperRare has been exploited. The root cause for this exploit was an incorrect permission check in the updateMerkleRoot function, allowing anyone to modify the Merkle Root and claim tokens." - Twitter/X (Jul 29)
Exploiter Address - Etherscan (Jul 29)
Agent Lisa (AI) - "A severe vulnerability has been detected in the updateMerkleRoot function of certain smart contracts, allowing anyone to modify the Merkle root. This flaw can lead to fraudulent claims and the drainage of contract funds." - Twitter/X (Jul 29)
SolidityScan - "On 28th July, 2025, SuperRare's (@SuperRare) RareStakingV1 contract was hacked, losing ~$730K USD (~11.9M $RARE) due to a flawed access control in updateMerkleRoot() function's require check." - Twitter/X (Jul 29)
BlockscopeCo - "A critical access control flaw in @SuperRare’s contract allowed an exploiter to update the Merkle root without authorization. By submitting a fake root, the exploiter claimed and drained ~$720K in $RARE tokens intended for genuine recipients." - Twitter/X (Jul 29)
MetaTrustAlert - "@SuperRare on #Ethereum was attacked with a loss of $730k due to the incorrect access control in `updateMerkleRoot` allows unauthorized users to update the merkle root." - Twitter/X (Jul 29)
CertiKAlert - "The attacker updated the MerkleRoot then claimed 11.9M RARE tokens (~$730K)." - Twitter/X (Jul 29)
CyversAlerts - "The attacker’s address, funded via @TornadoCash approximately 186 days ago, executed the exploit and gained 731K worth of $RARE." - Twitter/X (Jul 29)
Phalcon_xyz - "@SuperRare (Jul 29)
’s staking contract (v1) on #Ethereum was exploited, with the root cause traced to a flawed updateMerkleRoot function—key validation checks were incorrectly inverted. As a result, instead of restricting updates to privileged accounts (e.g., the owner), any account (except those privileged ones) could perform the update..." - Twitter/X (Jul 29)
PeckShieldAlert - "@SuperRare has been exploited, losing ~$730K worth of $RARE" - Twitter/X (Jul 29)
SuplabsYi - "@SuperRare (Jul 29)
was hacked for $710,000. The root cause of this SuperRare staking exploit? A brain-dead permission check that only lets non-owners and non-specific accounts update the Merkle Root. Seriously, who wrote this? Should’ve been a tight require(msg.sender == owner() msg.sender == 0xc2F3...8ddc), but nope—wide open for anyone to drain the pool with a forged Merkle Root." - Twitter/X (Jul 29)
BlockAid - "The attacker had deployed an exploit contract - but the actual attack was performed by a frontrunner one block later." - Twitter/X (Jul 29)
SuperRare Twitter/X Account (Jul 29)
SuperRare Official Homepage (Jul 29)
SuperRare DAO Overview (Jul 29)
About $RARE and Governance (Jul 29)
Artist Onboarding & Curation (Jul 29)
Hacker hits SuperRare NFT platform for $730K in RARE tokens exploit - MiTrade (Aug 18)
SuperRare $730,000 exploit was easily preventable — Experts weigh in - CoinTelegraph (Aug 18)
$731,000 stolen in SuperRare hack - Web3IsGoingGreat (Aug 18)

Sources And Further Reading

More case studies

imToken Third Party Selling
Pre-Initialized Secure Cold Wallet

Credix Compromised Admin Key
Insider Exploit Rug Pull

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2026 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.