Bitcoin 
Ethereum 
XRP 
Tether 
BNB 
Solana 
USDC 
Lido Staked Ether 
Dogecoin 
TRON 
Cardano 
Wrapped stETH 
Wrapped Bitcoin 
Hyperliquid 
Stellar 
Sui 
Chainlink 
Wrapped Beacon ETH 
Bitcoin Cash 
Hedera 
Wrapped eETH 
Avalanche 
WETH 
Litecoin 
LEO Token 
Toncoin 
Ethena USDe 
Shiba Inu 
USDS 
Binance Bridged USDT (BNB Smart Chain) 
Coinbase Wrapped BTC 
WhiteBIT Coin 
Uniswap 
Polkadot 
Monero 
Bitget Token 
Pepe 
Cronos 
Ethena Staked USDe 
Aave 
Dai 
Ethena 
Bittensor 
NEAR Protocol 
Ethereum Classic 
Pi Network 
Aptos 
Ondo 
Internet Computer 
Jito Staked SOL 
OKB 
Mantle 
Kaspa 
BlackRock USD Institutional Digital Liquidity Fund 
Pudgy Penguins 
Binance-Peg WETH 
Algorand 
Bonk 
USD1 
Arbitrum 
VeChain 
Cosmos Hub 
Gate 
Render 
POL (ex-MATIC) 
Fasttoken 
Worldcoin 
Official Trump 
Artificial Superintelligence Alliance 
SPX6900 
Sei 
Sky 
Binance Staked SOL 
sUSDS 
Rocket Pool ETH 
Filecoin 
Quant 
Flare 
Kelp DAO Restaked ETH 
Story 
Lombard Staked BTC 
Jupiter Perpetuals Liquidity Provider Token 
XDC Network 
Jupiter 
KuCoin 
USDtb 
StakeWise Staked ETH 
Mantle Staked Ether 
Liquid Staked ETH 
Injective 
Curve DAO 
USDT0 
Celestia 
First Digital USD 
NEXO 
Optimism 
Renzo Restaked ETH 
Stacks 
Polygon Bridged USDT (Polygon) 
Falcon USD 
NFT trading platform SuperRare suffered a $730,000 exploit on Monday due to a basic smart contract bug that experts say could have easily been prevented with standard testing practices.
SuperRare’s (RARE) staking contract was exploited on Monday with around $731,000 worth of RARE tokens stolen, according to crypto cybersecurity firm Cyvers.
The vulnerability stems from a function meant to allow only specific addresses to modify the Merkle root, a critical data structure that determines user staking balances. However, the logic was mistakenly written to allow any address to interact with the function.
0xAw, lead developer at Base decentralized exchange Alien Base, pointed out that the mistake in question was obvious enough to be caught by ChatGPT. Cointelegraph independently verified that OpenAI’s o3 model successfully identified the flaw when tested.
Relevant code in the SuperRare token staking contract. Source: Cointelegraph
“ChatGPT would’ve caught this, any half competent Solidity dev would’ve caught this. Basically anyone, if they looked. Most likely nobody did,” 0xAw told Cointelegraph.
SuperRare co-founder Jonathan Perkins told Cointelegraph that no core protocol funds were lost, and affected users will be made whole. He said that it appears that 61 wallets are affected.
“We’ve learned from it, and now future changes will go through a much more robust review pipeline,“ he said.
Related: Crypto hacks surpass $3.1B in 2025 as access flaws persist: Hacken
Anatomy of a vulnerability
To determine whether changing the Merkle root should be allowed, the smart contract checked if the interacting address was not a specific address or the contract’s owner. This is the opposite logic to what was intended to be enforced, allowing anyone to siphon the staked RARE out of the contract.
The line containing the relevant check. Source: Cointelegraph
A senior engineer at crypto insurance firm Nexus Mutual told Cointelegraph that “unit tests would have caught this mistake.”
Mike Tiutin, blockchain architect and chief technology officer at firm AMLBot, said, “It’s a silly mistake of the developer that was not covered by tests (that’s why full coverage is important).”
AMLBot CEO Slava Demchuk also came to the same conclusion, noting that “there was no extensive testing (or a bug bounty program) that could have found it pre-deployment.” He highlighted the importance of testing, noting that it is a “classic example why smart contract logic must be rigorously audited.” He added:
“This stands as a stark reminder: in decentralized systems, even a one-character mistake can have severe consequences.”
While Perkins insisted the contracts were audited and unit-tested, he acknowledged that the bug was introduced late in the process and wasn’t covered in final test scenarios:
“It’s a painful reminder of how even small changes in complex systems can have unintended consequences.“
Related: Indian crypto exchange CoinDCX hacked, $44M drained
The importance of unit testing
Unit tests are small, automated tests that check whether individual parts (“units”) of a program — typically functions or methods — work as expected. Each test targets a specific behavior or output based on a given input, helping to catch bugs early.
In this case, the tests that verify whether addresses can or cannot call the function to modify the Merkle root would have failed.
“By oversight or inadequate testing, the effect was the same: an avoidable vulnerability that cost massively,“ Demchuk told Cointelegraph.
0xAw similarly said that “the problem was, of course, the apparently complete lack of testing.” He said that “it’s not even a kind of code that works well in normal conditions, and fails if you push it in the right places.”
“This code just does the opposite of what you expect,“ he added.
Perkins told Cointelegraph that moving forward, SuperRare has introduced new workflows that mandate re-audits for any post-audit changes, no matter how minor.
Most vulnerabilities are oversights
0xAw said that the mistake is “a normal human error.” Instead, what he views as a “monumental mistake” is that it “made it to production and stayed there.”
0xAw highlighted that the vast majority of serious vulnerabilities originate from “really stupid and easily preventable mistakes.” Still, he admitted that “they’re usually a bit harder to notice than this.”
Hacken’s head of incident response, Yehor Rudytsia, agreed that thorough test coverage would have caught the flaw.
“If reviewing this function, it’s a pretty obvious bug,” he said.
Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express
