NFT trading platform SuperRare suffered a $730,000 exploit on Monday due to a basic smart contract bug that experts say could have easily been prevented with standard testing practices.
SuperRare’s (RARE) staking contract was exploited on Monday with around $731,000 worth of RARE tokens stolen, according to crypto cybersecurity firm Cyvers.
The vulnerability stems from a function meant to allow only specific addresses to modify the Merkle root, a critical data structure that determines user staking balances. However, the logic was mistakenly written to allow any address to interact with the function.
0xAw, lead developer at Base decentralized exchange Alien Base, pointed out that the mistake in question was obvious enough to be caught by ChatGPT. Cointelegraph independently verified that OpenAI’s o3 model successfully identified the flaw when tested.
“ChatGPT would’ve caught this, any half competent Solidity dev would’ve caught this. Basically anyone, if they looked. Most likely nobody did,” 0xAw told Cointelegraph.
SuperRare co-founder Jonathan Perkins told Cointelegraph that no core protocol funds were lost, and affected users will be made whole. He said that it appears that 61 wallets are affected.
“We’ve learned from it, and now future changes will go through a much more robust review pipeline,“ he said.
Related: Crypto hacks surpass $3.1B in 2025 as access flaws persist: Hacken
Anatomy of a vulnerability
To determine whether changing the Merkle root should be allowed, the smart contract checked if the interacting address was not a specific address or the contract’s owner. This is the opposite logic to what was intended to be enforced, allowing anyone to siphon the staked RARE out of the contract.
A senior engineer at crypto insurance firm Nexus Mutual told Cointelegraph that “unit tests would have caught this mistake.”
Mike Tiutin, blockchain architect and chief technology officer at firm AMLBot, said, “It’s a silly mistake of the developer that was not covered by tests (that’s why full coverage is important).”
AMLBot CEO Slava Demchuk also came to the same conclusion, noting that “there was no extensive testing (or a bug bounty program) that could have found it pre-deployment.” He highlighted the importance of testing, noting that it is a “classic example why smart contract logic must be rigorously audited.” He added:
“This stands as a stark reminder: in decentralized systems, even a one-character mistake can have severe consequences.”
While Perkins insisted the contracts were audited and unit-tested, he acknowledged that the bug was introduced late in the process and wasn’t covered in final test scenarios:
“It’s a painful reminder of how even small changes in complex systems can have unintended consequences.“
Related: Indian crypto exchange CoinDCX hacked, $44M drained
The importance of unit testing
Unit tests are small, automated tests that check whether individual parts (“units”) of a program — typically functions or methods — work as expected. Each test targets a specific behavior or output based on a given input, helping to catch bugs early.
In this case, the tests that verify whether addresses can or cannot call the function to modify the Merkle root would have failed.
“By oversight or inadequate testing, the effect was the same: an avoidable vulnerability that cost massively,“ Demchuk told Cointelegraph.
0xAw similarly said that “the problem was, of course, the apparently complete lack of testing.” He said that “it’s not even a kind of code that works well in normal conditions, and fails if you push it in the right places.”
“This code just does the opposite of what you expect,“ he added.
Perkins told Cointelegraph that moving forward, SuperRare has introduced new workflows that mandate re-audits for any post-audit changes, no matter how minor.
Most vulnerabilities are oversights
0xAw said that the mistake is “a normal human error.” Instead, what he views as a “monumental mistake” is that it “made it to production and stayed there.”
0xAw highlighted that the vast majority of serious vulnerabilities originate from “really stupid and easily preventable mistakes.” Still, he admitted that “they’re usually a bit harder to notice than this.”
Hacken’s head of incident response, Yehor Rudytsia, agreed that thorough test coverage would have caught the flaw.
“If reviewing this function, it’s a pretty obvious bug,” he said.
Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express
