In the ever-theatrical world of NFTs, hacks usually come with a familiar script: stolen JPEGs, rug pulls, or another Discord phishing saga. But the SuperRare exploit of July 28, 2025, was different. No NFTs were stolen. No floor prices were nuked. Instead, this breach struck at the heart of SuperRare’s token economy, siphoning 11.9 million RARE tokens (~$730K) straight out of its staking contract.
The result? Token holders burned, trust shaken, and another reminder that even the “safer” corners of Web3 are laced with landmines.
How SuperRare’s $730K Staking Exploit Went Down
At the center of this drama was the RareStakingV1 contract, specifically its updateMerkleRoot function. Due to a lax authorization check, the attacker could essentially tell the contract: “Hey, these rewards are legit, trust me.” And the contract, like a gullible sidekick in a heist movie, handed over the loot without a fight.
The attacker drained 11.9 million RARE tokens in a single swoop, sending them to a controlled address. But here’s the plot twist: the original exploiter didn’t even get away with it. A frontrunner, using a copied transaction with a higher gas fee, beat them to the punch and claimed the spoils. This wasn’t Ocean’s Eleven; it was Ocean’s Eleven versus Ocean’s Twelve, live on-chain.
Even spicier? Blockchain sleuths traced the frontrunner’s funding back 186 days to a Tornado Cash deposit, hinting at long-term planning, or someone who just never shuts off their burner wallets.
The Devil in the Details: What Most Missed
- The Soft Target Wasn’t NFTs, It Was Governance Logic
Everyone obsesses over vaults and marketplaces, but here it was the staking mechanism (the “boring” backend) that became the jackpot. - Gas Wars Aren’t Just for Apes and Drops
Attackers are now front-running other attackers. It’s like pirates robbing pirates before the navy even shows up. - Frozen Funds
The RARE tokens remain untouched for now, suggesting either that the attacker is waiting for the heat to die down or planning an OTC exit strategy. - Audits Still Don’t Go Far Enough
Staking, reward, and governance modules often get the “less critical” treatment compared to vaults or DEX logic (but not at Resonance Security, of course!), and it shows.
Idioms, Lessons, and What’s Next
SuperRare’s exploit is a textbook case of “a chain is only as strong as its weakest link.” The vaults were fine. The marketplace was fine. But a single misconfigured check in a staking module opened the floodgates.
If you’re building in Web3, remember: even the “back office” code can burn down the whole house. A few lessons for survival:
- Audit reward and staking logic like it’s holding your treasury…because it is.
- Simulate gas wars and frontrunning; attackers aren’t just clever, they’re competing with each other.
- Deploy real-time monitors and circuit breakers for abnormal function calls (updateMerkleRoot, mass claims, vault drains).
- Integrate multi-sig approvals for sensitive functions, even in seemingly low-risk contracts.
The Bigger Picture: Tokenomics is the New Attack Surface
NFT platforms aren’t just about art anymore. They’re complex ecosystems with token staking, governance, and yield mechanics. And attackers know it. Every smart contract, whether it mints, rewards, or routes, is now a potential honeypot.
As the saying goes, “forewarned is forearmed.” SuperRare’s $730K hit is a reminder to every protocol: treat every line of code as a vault door, or be prepared to watch your treasury walk away in plain sight.
How Resonance Security Can Help
At Resonance Security, we don’t just audit vaults, we stress-test every module: staking, governance, tokenomics, and beyond. We deploy real-time agents, simulate adversarial flows, and ensure your code can survive both attackers and opportunistic frontrunners.
Book a free consult today, and let’s make sure your staking contracts aren’t the next open season for on-chain bandits.
.png)