Even SuperRare, one of the most beloved NFT marketplaces, recently had a major security incident. Hackers absconded with an estimated $730,000 worth of RARE tokens in the incident. This incident raised a lot of alarm bells and smart contract security. This alarming hack underscores the critical need for strong security standards across the DeFi landscape. Anjali Mehra, our DeFi opinion columnist, is a whiz when it comes to untangling hard-to-understand issues. Here, she shares her perspective on the SuperRare exploit, what it means, and what we need to do to prevent such attacks in the future.

The SuperRare Exploit: A Breakdown

The exploit was focused around a vulnerability in the SuperRare staking contract. In particular, an insecure function enabled attackers to change the Merkle root without proper authorization. The Merkle root is a fundamental piece of data that dictates how much each user has staked on the platform.

What Went Wrong?

The attacker took advantage of the broken access control. They artfully crafted the Merkle root and siphoned funds from the staking contract. This gave them the ability to steal 11.9 million RARE tokens, worth approximately $731,000 at the time of the attack. The attack affected 61 wallets. Since then, with the deadline for repayment coming July 28, 2025, the stolen funds remain frozen. This means that the attacker could be anticipating how to cash out the assets without being traced.

  • Insecure Function: A function designed to allow only specific addresses to modify the Merkle root lacked proper security measures. The intention was to restrict access, but the implementation failed to do so effectively.
  • Insufficient Access Control: The smart contract's logic checked if the interacting address was not a specific address or the contract's owner. This approach proved insufficient because it didn't adequately prevent unauthorized access. Essentially, any address could alter the Merkle root.
  • Lack of Testing: The vulnerability was not detected during testing. This highlights the necessity of comprehensive unit testing to isolate and verify individual functions within a smart contract.

How the Attacker Exploited the Vulnerability

We want to commend the SuperRare team for moving quickly to fix the exploit and limit its damage.

The Aftermath and SuperRare's Response

The exploit would have understandably been alarming for RARE token holders. While the short-term effect was powerful, the long-term picture is one of tempered hope.

  • No Core Protocol Funds Lost: SuperRare co-founder Jonathan Perkins assured the community that no core protocol funds were lost. This was a crucial point, as it limited the scope of the damage.
  • User Reimbursement: Affected users will be made whole, demonstrating SuperRare's commitment to its community.
  • RARE Token Contract Unaffected: The core $RARE token contract and its functionalities were not compromised. This is a key distinction, as it means the underlying token infrastructure remains secure.
  • Account Freezing: SuperRare froze the affected accounts to prevent further unauthorized access and control the damage.
  • Cybersecurity Collaboration: SuperRare is collaborating with cybersecurity firms to investigate the vulnerability and implement preventative measures against future breaches.
  • Third-Party Audits: The platform has engaged third-party auditors to conduct a thorough review of its codebase, identifying potential security risks and vulnerabilities.
  • Testing Improvement: SuperRare is likely reviewing and improving its testing procedures to ensure more comprehensive coverage and prevent similar incidents in the future.

Implications for RARE Token Holders and the Market

What the SuperRare exploit can teach NFT investors on security and safety. It highlights the importance for developers to focus on implementing best practices through their development.

  • Price Impact: Despite the hack, market trends suggest a steady uptrend for RARE. This indicates that the market has largely absorbed the news and retains confidence in the project's long-term potential.
  • Limited Utility of RARE: It's important to acknowledge that the RARE token's utility is somewhat limited, primarily functioning as a governance token within the SuperRare ecosystem. This limited utility could impact its price, especially if the platform doesn't introduce new use cases or features for the token.

Actionable Advice for NFT Investors and Developers

Yet the SuperRare hack highlights how security risks remain a persistent challenge in the DeFi ecosystem. Investors and developers should address future risks by coming to grips with the vulnerabilities that resulted in the exploit. By requiring proactive security measures, they will create a more secure NFT ecosystem.

For NFT Investors:

  • Keep seed/recovery phrases offline and secure: This is a fundamental security principle. Store your seed phrases offline, create multiple copies, and consider splitting the phrase into parts stored in separate, secure locations.
  • Use password managers and 2FA protection: Employ a reputable password manager to generate and store strong, unique passwords for each of your accounts. Enable two-factor authentication (2FA) wherever possible for an added layer of security.
  • Review and verify third-party applications and libraries: Exercise caution when interacting with third-party applications or libraries. Verify their security and reputation before granting access to your wallet or assets.

For NFT Developers:

  • Implement standardized royalty interfaces: Ensure the contract implements and correctly uses standardized royalty interfaces, such as EIP-2981. This helps ensure proper royalty distribution and transparency.
  • Use secure randomness sources: Avoid using block variables (timestamp, blockhash) as a source of randomness; instead, consider using Chainlink VRF or similar oracle solutions for critical randomness. Block variables are predictable and can be manipulated by malicious actors.
  • Review and verify third-party applications and libraries: Thoroughly review and verify all third-party applications, integrations, and libraries for your projects at both the smart contract/application layer and for your community.
  • Thorough Testing Coverage: Invest in comprehensive unit testing to isolate and verify individual functions within smart contracts. Automated testing, fuzzing, and formal verification can help identify vulnerabilities before deployment.
  • Regular Audits: Engage reputable third-party auditors to conduct regular security audits of your smart contracts and infrastructure. These audits can identify potential vulnerabilities that may have been missed during development.
  • Access Control: Implement robust access control mechanisms to restrict access to sensitive functions and data. Use established patterns like role-based access control (RBAC) to manage permissions effectively.

The SuperRare hack underscores the ongoing challenges of security in the DeFi space. By understanding the vulnerabilities that led to the exploit and implementing proactive security measures, both investors and developers can help mitigate future risks and foster a more secure NFT ecosystem.