The NFT marketplace SuperRare's RareStakingV1 contract was exploited, allowing attackers to drain 11.9M RARE tokens.

Importantly, the vulnerability did not compromise the underlying $RARE token contract or its core functionalities. SuperRare's exploited RareStakingV1 contract was part of the platform's staking and curation initiative launched in August 2023.

The Rare Protocol was introduced as a solution to a persistent problem in the NFT space: quality curation and creator discovery. Through its Curation Staking mechanism, participants use the native $RARE token to stake on artists, join their Community Pools, and receive rewards when those artists make sales.

SuperRare Staking Contract Exploit Origin: Faulty Permission Check in updateMerkleRoot

According to the alert from Web3 security firm Blockaid and threat intelligence platform MistEye, the exploit stemmed from a flawed permission check in the "updateMerkleRoot" function within the RareStakingV1 contract.