NFT trading platform Superrare received a $730,000 exploit on Monday due to a basic smart contract bug that experts say could easily prevent with standard testing practices.
According to Crypto cybersecurity company Cyvers, Superrare’s (rare) staking contract was misused on Monday, stolen rare tokens worth around $731,000.
The vulnerability comes from a function that means that only a particular address can change the Merkle Root, a key data structure that determines the user’s staking balance. However, the logic was written incorrectly to allow addresses to interact with functions.
0xaw is the lead developer of the base’s decentralized Exchange Alien Base, noting that the mistake in the issue is so obvious that it gets caught by ChatGpt. Cointelegraph independently verified that Openai’s O3 model successfully identified defects during testing.
Related code for the Superrare token staking agreement. Source: Cointelegraph
“ChatGpt would have caught this. Half-capable Solidity Dev would have caught this. Basically, if anyone saw it, no one would have done that,” 0xaw told Cointelegraph.
Superrare co-founder Jonathan Perkins told Cointelegraph that the core protocol funds have not been lost and that the total number of affected users will be affected. He said 61 wallets appear to be affected.
“We learned from that, but now future changes will go through a much more robust review pipeline,” he said.
Related: Crypto Hacks exceeded $3.1 billion in 2025 as access flaws persist: Hacken
Anatomy of vulnerability
To determine whether the Merkle route should be allowed, we checked whether the interacting address was not the owner of a particular address or contract. This is the opposite logic to what was intended to be implemented, allowing anyone to suck up the rare things that have soaked up from the contract.
Lines containing related checks. Source: Cointelegraph
“Unit testing would have caught this mistake,” a senior engineer at Crypto Insurance Firm Nexus Mutual told Cointelegraph.
“It’s a stupid mistake by developers that aren’t covered in testing (and therefore why full coverage is important),” said Mike Tiutin, Amlbot’s blockchain architect and chief technology officer.
Amlbot CEO Slava Demchuk has come to the same conclusion. He emphasizes the importance of testing, noting that it is “why smart contract logic should be rigorously audited.” He added:
“This is a tough reminder. In a distributed system, even a single-letter mistake can have serious consequences.”
Perkins claimed the contract was audited and unit tested, but he admitted that the bug was introduced in the process and not covered in the final testing scenario.
“It’s a reminder that even small changes in complex systems can have unintended consequences.”
Related: Indian Crypto Exchange Coindcx has been hacked and released $44 million
The importance of unit testing
Unit tests are small, automated tests that check whether individual parts (“units”) in a program (usually a function or method) work as expected. Each test will help you target a specific behavior or output based on a specific input, and catch bugs early.
In this case, tests that check if the address calls the function or cannot change the Merkle route.
“The effectiveness was the same through monitoring or inadequate testing. A avoidable vulnerability that costs a lot of money,” Demchuk told Cointelegraph.
0xaw similarly stated, “Of course the problem was clearly completely lacking testing.” He said, “It’s not a kind of code that works well under normal conditions, but if you press it in the right place it fails.”
“This code does the opposite of what you expect,” he added.
Perkins told Cointelegraph that Superrare has moved forward and introduced a new workflow that requires re-audition of changes after the audit.
Most vulnerabilities are surveillance
0xaw said the mistake was a “normal human error.” Instead, what he considers as a “monologic mistake” is that it “gotten into production and stayed there.”
0xaw emphasized that the majority of serious vulnerabilities stem from “really stupid and easily preventable mistakes.” Still, he admitted that “they are usually a little more difficult to notice than this.”
Hacken’s head of incident response, Yehor Rudytsia agreed that thorough testing coverage captured the flaws.
“If you review this feature, it’s a pretty obvious bug,” he said.
magazine: North Korea’s Crypto Hackers Tap ChatGpt, Malaysia Road Money Siphoned: Asia Express
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
