Last week, crypto art platform SuperRare was the victim of a security vulnerability as $730,000 worth of RARE tokens were stolen. The attacker took advantage of a vulnerability in the platform’s smart contract. Combined, they were able to siphon a large share of the total tokens in a single transaction. Today, SuperRare is having an all-time high trading lifetime trading volume of $950 million. It remains very niche, with less than 10 buyers and sellers trading actively each day and a daily trading volume below $16,000. More than a year later, the stolen assets are still parked in their attack wallet. This predicament highlights both the fragility of decentralized finance (DeFi) and the months-long battle to secure smart contracts.

Exploit Details and Token Theft

The exploit focused on a bad validation in one iteration of the RARE staking smart contract. In this case, the attacker started the exploit by deploying a contract to flashloan and then frontrunning it 1 block later. This enabled them to convert 11,907,874 RARE tokens in one gas-efficient transaction. It wasn’t until further analysis that we discovered it was a connected wallet. It also custodyed an additional $563,150 in RARE tokens, which multiplied the threat of the breach’s fallout.

"The updateMerkleRoot function uses an incorrect condition in the require statement, allowing any address to update the merkle root. The intended authorization check for the owner or a specific address is flawed due to a logical error in the condition. This allows unauthorized users to set a new merkle root, potentially enabling fraudulent claims and draining of contract funds."

The attackers address funded through TornadoCash about six months earlier indicates that this was not just a spontaneous thing but a very well thought out operation. TornadoCash, an illicit cryptocurrency mixer, has been used to obfuscate the origin of the funds. This tactic, in addition to minimizing the attack’s severity, further serves to hide the identity of the aggressor.

Impact on SuperRare and its Community

The SuperRare platform, known for trading digital art, faces potential repercussions from this exploit. Although the platform has enabled a $950 million lifetime trading volume, its daily level of activity is quite small. SuperRare claims about 6,550 active traders, but usually sees under 10 buyers and sellers per day. The average price for art exchanged on the platform currently floats around $5. Even a single incident of RARE tokens losing $730,000 worth of value can lose confidence in the platform. This would be extremely demoralizing to participate, particularly among its power users.

SuperRare’s vulnerability serves as an alarm bell for the NFT ecosystem, emphasizing the need for stringent smart contract auditing and security practices. The incident serves as a critical reminder of the technological gulf between those high-value transactions and the security infrastructure underpinning these platforms. For a platform where some items sell after years of holding, maintaining trust and security is paramount to its long-term viability.

Today, SuperRare has a pretty low daily trading volume and user base. Consequently, it makes itself especially susceptible to the psychological impact of such an exploit. If the community feels their confidence in the platform’s security is compromised, activity will immediately drop off. This erosion of confidence is only likely to drive down the value of RARE tokens.

Security Vulnerabilities and Mitigation

Malicious actors frequently take advantage of smart contracts vulnerabilities to get in. This truth calls for rigorous audits and robust testing processes. A bug in the updateMerkleRoot function was introduced. This vulnerability allowed an unauthorized user to change the Merkle root, leading to the fraudulent claiming of tokens.

The incident highlights the need for proactive monitoring and threat detection. The attacker sent funds to their address through TornadoCash. This underscores the dire need for more sophisticated tracking tools to spot developing risks and intervene before problems fester. The exploit contract serves as an example of just how fast attackers can hit. Second, it underscores how effective they are at exploiting vulnerabilities within blockchain systems.

SuperRare and other NFT platforms need to lead by example when it comes to security. In short, regulators should require long-term, holistic solutions to protect user funds and preserve the integrity of the system. This means frequent smart contract audits, increased vigilance and monitoring, and the establishment of mechanisms for detecting threats before they can be exploited.