SuperRare Hack: $730K Stolen in Staking Exploit With Frontrun Twist

Key Insights:

• The SuperRare hack resulted in 11.9 million RARE tokens stolen through a Merkle root manipulation.
• A frontrunner hijacked the exploit one block after the original attacker’s contract deployment.
• Core platform functions were unaffected, but the staking logic failure revealed deeper risks.

On July 28, something strange happened on the Ethereum blockchain. A smart contract from SuperRare, a well-known NFT platform, was tricked, and about $730,000 worth of RARE tokens were stolen.

This wasn’t just a normal crypto hack. The SuperRare hack had an unusual twist.

The person who found the bug in the code didn’t even end up getting the money. Someone else saw the attack coming and jumped in first.

Now, experts are calling this a clear case of front-running, a type of move where someone copies an action but sends their transaction faster.

This SuperRare hack is not just about one mistake in code. It shows how things can go wrong even when attackers are fighting each other for money.

What Is SuperRare and How Did the Hack Happen?

SuperRare is an NFT website where artists sell their digital art. It’s been around since 2018 and only allows selected artists to list their work. It also has a special token called RARE.

People who hold RARE can vote on how the platform works and even earn rewards by staking their tokens.

The SuperRare hack didn’t affect the art side of things or the RARE token itself. It hit the staking contract, the part of the code that lets users earn rewards. This contract had a serious mistake.

The contract had something called a Merkle root, a tool used to check who should get rewards. But the code that controls who can update this Merkle root wasn’t strict enough.

Normally, only the owner of the contract should be allowed to make changes. But the SuperRare staking contract had a weak check.

This let someone upload their own version of the Merkle root, which made it look like they were allowed to claim rewards.

Using this, they took 11.9 million RARE tokens in one transaction. That’s about $730,000 at the time.

Security teams like CertiK and PeckShield confirmed the SuperRare hack right after it happened. Cyvers also found that the attacker’s wallet had been filled with ETH through Tornado Cash: a tool used to hide money, more than six months ago.

This means the attacker may have been preparing this for a long time.

The Big Twist: A Front-Runner Got the Money

The SuperRare hack gets even more interesting. The person who found the bug and wrote the attack contract wasn’t the one who took the money.

Another wallet saw the first attack being sent and copied the exact same move, but with a higher gas fee. In simple terms, that means they paid more to get their transaction processed first.

Since Ethereum miners pick the highest-paying transaction, the second wallet’s move was confirmed before the original one.

This kind of action is called front-running. It’s like cutting in line. The first person spotted a flaw, but the second person got the reward.

Blockaid, one of the security teams that reviewed the SuperRare hack, said this is a clear example of how even attackers can get attacked.

In just one block, just seconds apart, the money was gone. The wallet that ended up with the stolen RARE tokens still holds them. They haven’t moved or sold them yet.

What Happens Now And What the SuperRare Hack Teaches Everyone?

Right now, SuperRare has not said much officially. They haven’t explained what they plan to do or whether they’ll pay back users.

The NFT platform itself is still working, and the RARE token wasn’t broken. But the trust in SuperRare’s staking system has taken a hit.

The SuperRare hack teaches a few important things. First, smart contracts must have very tight rules about who can make changes. A simple mistake, like a loose permission, can open the door to huge losses.

Second, anyone who builds on-chain systems has to think about how fast bots can act. In this case, someone saw an attack and beat the attacker at their own game, live, on the chain.

And third, the SuperRare hack is not just about bugs in code. It’s about how fast things happen in crypto.

Everything is public, everything is traceable, and if you make a move, someone might copy it before you even finish.

The $730,000 loss is serious. But the front-run twist makes this one of the most unusual stories in recent crypto history.

The SuperRare hack shows that even attackers need to watch their backs. And for platforms like SuperRare, it’s a reminder: reward systems need just as much protection as vaults.