SuperRare updateMerkleRoot Backwards Permission Check Logic

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

SuperRare Logo/Homepage

SuperRare, a high-end digital art marketplace known for its curated one-of-one crypto artworks and artist-centric community, recently suffered a critical exploit in its RareStakingV1 smart contract. A flaw in the access control logic of the updateMerkleRoot function allowed unauthorized users—excluding only the intended privileged addresses—to update staking reward eligibility. This oversight enabled an attacker to submit a forged Merkle root and claim roughly 11.9 million $RARE tokens (~$730K). A frontrunning incident followed, likely involving MEV strategies. The attacker’s address had been funded via Tornado Cash months prior, suggesting premeditation. Despite widespread third-party reporting, SuperRare has not publicly acknowledged the breach, and no recovery efforts have been disclosed. The incident underscores how a minor code logic error in decentralized protocols can lead to substantial financial loss.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]

About SuperRare

SuperRare is a pioneering digital art marketplace and gallery that specializes in one-of-one crypto artworks. Launched in 2018, it offers a curated platform where artists mint, exhibit, and sell NFTs (non-fungible tokens) directly to collectors. Unlike open marketplaces with mass uploads, SuperRare takes a high-end, gallery-style approach, emphasizing quality, originality, and digital scarcity. Each artwork is tokenized on the Ethereum blockchain, ensuring transparent ownership, provenance, and resale royalties for artists.

The platform distinguishes itself by fostering a strong community of collectors and creators through artist onboarding, editorial features, and physical exhibitions. It also integrates social features like profiles, bidding, and commenting to encourage collector-artist interactions. SuperRare recently launched SuperRare Spaces—independently curated storefronts that bring decentralized governance into the platform. These Spaces are selected and managed by community members who propose exhibitions, onboard artists, and earn a portion of sales, aligning with the DAO’s long-term vision.

Governance and development of SuperRare are overseen by RareDAO, a decentralized autonomous organization powered by the $RARE token. Holders of $RARE can participate in protocol decisions, manage treasury funds, and vote on key initiatives, including Space proposals. With notable partners like Sotheby’s and artists such as XCOPY and Beeple commanding multimillion-dollar sales, SuperRare remains at the forefront of the crypto art movement, merging high-end digital art with decentralized technology.

The Reality

Unfortunately, the SuperRare staking contract (RareStakingV1) on Ethereum contained a critical flaw in its access control logic, specifically in the updateMerkleRoot function. This function was meant to be restricted to trusted parties—such as the contract owner or a specific privileged address—to securely update the Merkle root that determines reward eligibility. However, due to a logic inversion in the permission check, the contract accidentally allowed all addresses except the intended privileged ones to call the function.

What Happened

A critical access control flaw in SuperRare’s staking contract allowed an attacker to fraudulently claim ~$730K in $RARE tokens, with no public acknowledgment or recovery effort from the team to date.

Key Event Timeline - SuperRare updateMerkleRoot Backwards Permission Check Logic
Date Event Description
July 28th, 2025 2:21:47 AM MDT Contract Deployment Transaction Blockaid reports that this is the deployment of the smart contract. SolidityScan incorrectly reports this is the attack transaction.
July 28th, 2025 2:21:59 AM MDT Attack Transaction The attack transaction, according to BlockScope, SupLabsYi, Blockaid, PeckShield, and CertiK. The smart contract is abused to modify the Merkle root and
July 28th, 2025 3:53:00 AM MDT SlowMist Posts Exploit Tweet SlowMist posts on Twitter/X to report that the SuperRare platform appears to have suffered from a compromise. A vulnerability appears to allow anyone to update the Merkle root permissions and claim tokens.

Technical Details

A misconfiguration meant that any unauthorized user could submit a new, forged Merkle root and effectively claim staking rewards meant for legitimate users. By exploiting this, an attacker was able to generate a fraudulent distribution tree and drain approximately $730,000 worth of $RARE tokens. The exploit was further complicated by a frontrunning incident: although the attacker deployed an exploit contract, a separate address executed the actual draining transaction one block later, potentially using MEV strategies.

The exploit was the result of a critical flaw in the access control logic of the updateMerkleRoot function. This function, intended to be used only by authorized accounts (like the contract owner or a specific privileged address), contained an inverted permission check. Instead of verifying that only privileged users could call it, the logic was mistakenly written to exclude those privileged users—allowing anyone else to update the Merkle root. This effectively opened the door for any attacker to forge distribution roots and drain funds meant for legitimate stakers.

Using this vulnerability, the attacker submitted a fake Merkle root, allowing them to claim reward tokens they weren’t entitled to. The attacker deployed an exploit contract to facilitate the claim, but notably, the actual draining transaction was frontrun by another address one block later—indicating the presence of a MEV (Miner Extractable Value) bot or a separate opportunistic actor. The stolen funds, totaling 11.9 million $RARE ($730K USD), remain in the attacker's contract and have not yet been swapped or laundered.

Analysis shows the attacker’s address was funded via Tornado Cash approximately 186 days prior, suggesting premeditation and an attempt to anonymize the funding trail. This exploit underscores the importance of proper require statement logic in Solidity smart contracts, especially in access control functions. A simple correction—such as enforcing require(msg.sender == owner() || msg.sender == 0xc2F3...8ddc)—could have prevented this attack entirely. The event highlights how small errors in permission checks can lead to large financial losses in decentralized protocols.

Transactions: 0xf5b6531ead5023568b5063b131068a6dd4d8c9eac66a51666982d99af1a0d520

Attacker: 0x5B9B4B4DaFbCfCEEa7aFbA56958fcBB37d82D4a2

Victim Contract (SuperRare RareStaking V1): 0xfFB512B9176D527C5D32189c3e310Ed4aB2Bb9eC


Total Amount Lost

CertiK reports the loss as "11.9M RARE tokens (~$730K)". PeckShield and Blockaid also report $730k.

Cyvers has a screenshot showing the loss total as $731,809.68.

SupLabsYi reports a lower loss amount of $710k.

The total amount lost has been estimated at $730,000 USD.

Immediate Reactions

Multiple third parties have reported on the exploit transaction. The exploit does not appear to have been publicly acknowledged by the SuperRare team initially.

Ultimate Outcome

The incident does not appear to have been acknowledged by the SuperRare team on their website or social media.

Jonathan Perkins, co-founder of SuperRare, later informed Cointelegraph that the core protocol remains intact with no loss of funds. He added that around 61 wallets seem to have been impacted and assured that those affected will be fully compensated.

Total Amount Recovered

SuperRare's co-founder Jonathan Perkins has mentioned an intent to fully compensate all affected users. It has not been confirmed that this has been completed.

It is not publicly known whether the funds from the hack were returned.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

SuperRare is likely introducing development process changes based on this exploit. It is unclear what kind of investigation may be underway, or if funds have been returned.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist - "MistEye detected that @SuperRare has been exploited. The root cause for this exploit was an incorrect permission check in the updateMerkleRoot function, allowing anyone to modify the Merkle Root and claim tokens." - Twitter/X (Accessed Jul 29, 2025)
  2. Exploiter Address - Etherscan (Accessed Jul 29, 2025)
  3. Agent Lisa (AI) - "A severe vulnerability has been detected in the updateMerkleRoot function of certain smart contracts, allowing anyone to modify the Merkle root. This flaw can lead to fraudulent claims and the drainage of contract funds." - Twitter/X (Accessed Jul 29, 2025)
  4. SolidityScan - "On 28th July, 2025, SuperRare's (@SuperRare) RareStakingV1 contract was hacked, losing ~$730K USD (~11.9M $RARE) due to a flawed access control in updateMerkleRoot() function's require check." - Twitter/X (Accessed Jul 29, 2025)
  5. BlockscopeCo - "A critical access control flaw in @SuperRare’s contract allowed an exploiter to update the Merkle root without authorization. By submitting a fake root, the exploiter claimed and drained ~$720K in $RARE tokens intended for genuine recipients." - Twitter/X (Accessed Jul 29, 2025)
  6. MetaTrustAlert - "@SuperRare on #Ethereum was attacked with a loss of $730k due to the incorrect access control in `updateMerkleRoot` allows unauthorized users to update the merkle root." - Twitter/X (Accessed Jul 29, 2025)
  7. CertiKAlert - "The attacker updated the MerkleRoot then claimed 11.9M RARE tokens (~$730K)." - Twitter/X (Accessed Jul 29, 2025)
  8. CyversAlerts - "The attacker’s address, funded via @TornadoCash approximately 186 days ago, executed the exploit and gained 731K worth of $RARE." - Twitter/X (Accessed Jul 29, 2025)
  9. Phalcon_xyz - "@SuperRare (Accessed Jul 29, 2025)
  10. [’s staking contract (v1) on #Ethereum was exploited, with the root cause traced to a flawed updateMerkleRoot function—key validation checks were incorrectly inverted. As a result, instead of restricting updates to privileged accounts (e.g., the owner), any account (except those privileged ones) could perform the update..." - Twitter/X ’s staking contract (v1) on #Ethereum was exploited, with the root cause traced to a flawed updateMerkleRoot function—key validation checks were incorrectly inverted. As a result, instead of restricting updates to privileged accounts (e.g., the owner), any account (except those privileged ones) could perform the update..." - Twitter/X] (Accessed Jul 29, 2025)
  11. PeckShieldAlert - "@SuperRare has been exploited, losing ~$730K worth of $RARE" - Twitter/X (Accessed Jul 29, 2025)
  12. SuplabsYi - "@SuperRare (Accessed Jul 29, 2025)
  13. [was hacked for $710,000. The root cause of this SuperRare staking exploit? A brain-dead permission check that only lets non-owners and non-specific accounts update the Merkle Root. Seriously, who wrote this? Should’ve been a tight require(msg.sender == owner() msg.sender == 0xc2F3...8ddc), but nope—wide open for anyone to drain the pool with a forged Merkle Root." - Twitter/X was hacked for $710,000. The root cause of this SuperRare staking exploit? A brain-dead permission check that only lets non-owners and non-specific accounts update the Merkle Root. Seriously, who wrote this? Should’ve been a tight require(msg.sender == owner() msg.sender == 0xc2F3...8ddc), but nope—wide open for anyone to drain the pool with a forged Merkle Root." - Twitter/X] (Accessed Jul 29, 2025)
  14. BlockAid - "The attacker had deployed an exploit contract - but the actual attack was performed by a frontrunner one block later." - Twitter/X (Accessed Jul 29, 2025)
  15. SuperRare Twitter/X Account (Accessed Jul 29, 2025)
  16. SuperRare Official Homepage (Accessed Jul 29, 2025)
  17. SuperRare DAO Overview (Accessed Jul 29, 2025)
  18. About $RARE and Governance (Accessed Jul 29, 2025)
  19. Artist Onboarding & Curation (Accessed Jul 29, 2025)
  20. Hacker hits SuperRare NFT platform for $730K in RARE tokens exploit - MiTrade (Accessed Aug 18, 2025)
  21. SuperRare $730,000 exploit was easily preventable — Experts weigh in - CoinTelegraph (Accessed Aug 18, 2025)
  22. $731,000 stolen in SuperRare hack - Web3IsGoingGreat (Accessed Aug 18, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=SuperRare_updateMerkleRoot_Backwards_Permission_Check_Logic&oldid=6916"