In a major development for decentralized finance (DeFi) security, leading NFT art platform SuperRare has been hacked through a custom attack on one of its staking contracts, and 11.9M $RARE tokens worth $731,000 were stolen.
Blockchain security firm Cyvers Alerts revealed the hack, saying that the hacker had exploited a code weakness in the staking contract.
The wallet that was targeted had been dormant for nearly six months since it was seeded using Tornado Cash, a mixer frequently associated with laundering proceeds of illicit activities.
The entire exploitation had been done in a single scheduled transaction.
So far, the hacked tokens sit idle in the exploiter’s contract, suggesting that perhaps the attacker is simply waiting for more favorable circumstances to offload the stolen assets.
Faulty Authorization Logic Vulnerability
Security researchers were quick to identify the cause of the exploit, a basic logic mistake in the staking contract’s updateMerkleRoot function.
The function, intended only to permit a particular contract or address owner to modify the Merkle root to allow staking claims, had an authorization check implemented in the wrong way.
Due to this flaw, anybody could basically bypass restrictions and call the function, providing control of all staking rewards.
The attacker had deployed a specially designed smart contract that was designed to exploit this weakness and utilized front-running methodologies to siphon the tokens in seconds.
The attack puts the severe risk posed by inadequate auditing and poor contract logic into perspective, even for seasoned platforms like SuperRare.
Also Read: NFT Artist DeeKay Identifies Hacker, Funds Fully Recovered
Market Reaction Callous but RARE Token Starts to Show Signs of Weakness
In spite of the scale of the exploit, SuperRare’s RARE token has only suffered a subdued market impact.
At press time, RARE trades at $0.05922, 1.48% lower over the last 24 hours and 11.16% lower over the last seven days.
The token’s market cap stands at around $48.4 million with a circulating supply of 820 million RARE.
Cyvers Alerts has alleviated fears that the exploit was isolated to one staking contract and did not affect the underlying SuperRare protocol or its NFT trading system.
Panic selling was expected, but the market has responded reasonably to date, most likely because the exploit is isolated and as a result of the low liquidity of RARE, which makes dumping large volumes extremely difficult without collapsing prices.
Also Read: Fuzzland Reveals Former Employee Was Responsible for the $2 Million Bedrock UniBTC Crypto Hack
Platform Operations Untouched as SuperRare Remains a Niche Actor
Operatively, SuperRare remains business-as-usual, with the staking exploit failing to disrupt its curated non-fungible token trading platform.
SuperRare’s niche status in the already slowing NFT market could limit the attacker’s ability to cash out the hijacked funds and gain.
The platform, once experiencing record trading volumes, now sees a daily average of less than $16,000 in activity, with less than 10 daily active users.
Average NFT prices are around just $5. The RARE token, while not planned for external use but for governance and staking rewards, has very limited use outside the ecosystem.
The low volume trading and restricted trading activity raise the question of how the attacker would profit from the hijacked tokens without drawing too much attention or market collapse.
Heightened Security Concerns Within NFT and Web3 Environment
SuperRare attack is just one of a string of attacks that resonate with the persistent security issues within the NFT and broader Web3 environment.
Recent instances include a well-known attack on Onbd Art, in which hackers pilfered wallets of ETH, ARB, and USDT by hijacking users’ mnemonic phrases.
Crypto investigators are calling for greater in-depth audits, smarter smart contract development, and better user security awareness education to safeguard users and platforms.
Also Read: Crypto Hack: NFT Artist DeeKay’s Wallets Hacked, Entire Fortune Stolen