NFT trading platform SuperRare suffered a $730,000 exploit on Monday due to a basic smart contract bug that experts say could have easily been prevented with standard testing practices.
SuperRare’s (RARE) staking contract was exploited on Monday with around $731,000 worth of RARE tokens stolen, according to crypto cybersecurity firm Cyvers.
The vulnerability stems from a function meant to allow only specific addresses to modify the Merkle root, a critical data structure that determines user staking balances. However, the logic was mistakenly written to allow any address to interact with the function.
0xAw, lead developer at Base decentralized exchange Alien Base, pointed out that the mistake in question was obvious enough to be caught by ChatGPT. Cointelegraph independently verified that OpenAI’s o3 model successfully identified the flaw when tested.
Relevant code in the SuperRare token staking contract. Source: Cointelegraph
“ChatGPT would’ve caught this, any half competent Solidity dev would’ve caught this. Basically anyone, if they looked. Most likely nobody did,” 0xAw told Cointelegraph.
SuperRare co-founder Jonathan Perkins told Cointelegraph that no core protocol funds were lost, and affected users will be made whole. He said that it appears that 61 wallets are affected.
“We’ve learned from it, and now future changes will go through a much more robust review pipeline,“ he said.
Related: Crypto hacks surpass $3.1B in 2025 as access flaws persist: Hacken
Anatomy of a vulnerability
To determine whether changing the Merkle root should be allowed, the smart contract checked if the interacting address was not a specific address or the contract’s owner. This is the opposite logic to what was intended to be enforced, allowing anyone to siphon the staked RARE out of the contract.
The line containing the relevant check. Source: Cointelegraph
A senior engineer at crypto insurance firm Nexus Mutual told Cointelegraph that “unit tests would have caught this mistake.”
Mike Tiutin, blockchain architect…
..
