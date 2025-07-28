A Tornado Cash user hacked the staking contract of NFT gallery firm SuperRare today, stealing roughly $730,000 worth of RARE tokens.

Crypto security analysts Peckshield first noticed the substantial loss while Cyvers Alerts reported that the attacker had previously used crypto mixer Tornado Cash 186 days ago.

SlowMist claims the exploit was caused by a faulty permission check in the “updateMerkleRoot function” that allowed the hacker to modify the staking contract and claim tokens for themselves.

🚨ALERT🚨Our system has detected a malicious transaction targeting a @SuperRare staking contract.



The attacker’s address, funded via @TornadoCash approximately 186 days ago, executed the exploit and gained 731K worth of $RARE.



The stolen funds currently remain in the attacker’s… pic.twitter.com/9CZ6IG4b4B — 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 28, 2025

SuperRare is an NFT art firm with multiple physical galleries in New York. The firm has generated over $328 million in trading volume since it was founded in 2018 and created the RARE token in 2021.

Shark Tank presenter Mark Cuban lost $870,000 worth of crypto, including a batch of RARE tokens, when he unknowingly downloaded a fake MetaMask wallet application that drained his wallet.

There’s a chance that today’s exploiter will use Tornado Cash again and attempt to launder their ill-gotten gains. The crypto mixer is hailed by crypto privacy advocates for anonymising crypto transactions, but it’s also popular with hackers attempting to launder any illegally obtained crypto.

Tornado Cash is currently on trial in the US, and the case’s outcome may change free speech rights dramatically, as prosecutors seek to criminalise the individuals creating code for open-source privacy software, an action currently protected under free speech.

Protos has reached out to SuperRare for comment and will update this piece should we hear anything back.

