How was BEVO NFT Project Exploited

3 min read
Bevo nft project exploit

How was BEVO NFT project exploited by an attacker due to the deflationary nature of the tokens?

TL;DR#

On January 30, 2023, the BEVO NFT art token $BEVO was exploited resulting in a total loss of approximately $45,000.

Introduction to BEVO NFT#

BEVO NFT art token is a DeFi payment network that uses a basket of fiat-pegged stable coin, algorithmically stabilized by its reserve token $BEVO to enable programmable payments and open financial infrastructure development.

Vulnerability Assessment#

The underlying cause of the attack is the deflationary nature of the $BEVO token; hence, when the attacker called a function of the contract, it decreased the total value of the token, which in turn altered the return value used to calculate the balance.

Steps#

Step 1:

We took a closer look at the attack transaction executed by the exploiter.

Step 2:

The exploiter initially took a flash loan of 192.5 WBNB from PancakeSwap, and swapped them with the Pancake pair in order to receive 757,417 $BEVO tokens.

Step 3:

The exploiter invoked the deliver function, which decreased the _rTotal value of the contract. This further influenced the return value of getRate function, which is used to calculate the balance.

Step 4:

They then called the skim function to transfer the increased PancakePair balance to their own account after manipulating the token balance.

Step 5:

This allowed them to swap 0 $BEVO tokens for 337 $BNB, after which the flash loan amount was repaid leaving the exploiter with the profit of 144 $WBNB.

Aftermath#

After the incident, the price of $BEVO token dropped by 99%.

Solution#

BEVO NFT, intended to revolutionize the financial infrastructure with its innovative algorithmically stabilized reserve token, was unfortunately exploited due to an oversight related to its deflationary nature. The assailant cleverly leveraged the token's characteristics, managing to walk away with approximately $45,000.

The NFT space has grown in popularity in recent years, making it an attractive target for fraudulent actors. It is therefore crucial to conduct due diligence on the authenticity of NFT projects because of the prevalence of scams in the industry. Failure to do so could result in a financial loss, so when evaluating NFT projects, it is critical to be vigilant and cautious.

In the face of such sophisticated exploits, it's not just about creating robust smart contracts but also ensuring that there's a safety net in place for unforeseen vulnerabilities. This is where Neptune Mutual shines brightly. Had the BEVO NFT art token team allied themselves with us, incorporating a dedicated cover pool within our marketplace, the ramifications of this exploit could have been notably muted. Neptune Mutual's mainstay is offering coverage against the unexpected, ensuring that when smart contract vulnerabilities surface, affected parties have an avenue for redress.

Our specialized parametric cover policies stand as a testament to our commitment to user protection. Those insured under our policies enjoy a streamlined claim process without the need for exhaustive loss documentation. As soon as an incident finds resolution, payouts are facilitated. This immediate redress system, coupled with our presence on renowned blockchain networks like Ethereum and Arbitrum, ensures both accessibility and peace of mind for our users.

But our involvement doesn't stop just here. Neptune Mutual's comprehensive approach extends to in-depth security evaluations. Our seasoned security team, well-versed in the nuances of DeFi and NFT platforms, routinely assesses platforms for potential vulnerabilities. From DNS and web security checks to backend safeguards and advanced intrusion detection, we take a holistic approach to platform security.

Reference Sources PeckShield, BlockSec

By

Tags