3 min read

How was BEVO NFT Project Exploited

How was BEVO NFT project exploited by an attacker due to the deflationary nature of the tokens?

Bevo nft project exploit


On January 30, 2023, the BEVO NFT art token $BEVO was exploited resulting in a total loss of approximately $45,000.

Introduction to BEVO NFT#

BEVO NFT art token is a DeFi payment network that uses a basket of fiat-pegged stable coin, algorithmically stabilized by its reserve token $BEVO to enable programmable payments and open financial infrastructure development.

Vulnerability Assessment#

The underlying cause of the attack is the deflationary nature of the $BEVO token; hence, when the attacker called a function of the contract, it decreased the total value of the token, which in turn altered the return value used to calculate the balance.


Step 1:

We took a closer look at the attack transaction executed by the exploiter.

Step 2:

The exploiter initially took a flash loan of 192.5 WBNB from PancakeSwap, and swapped them with the Pancake pair in order to receive 757,417 $BEVO tokens.

Step 3:

The exploiter invoked the deliver function, which decreased the _rTotal value of the contract. This further influenced the return value of getRate function, which is used to calculate the balance.

Step 4:

They then called the skim function to transfer the increased PancakePair balance to their own account after manipulating the token balance.

Step 5:

This allowed them to swap 0 $BEVO tokens for 337 $BNB, after which the flash loan amount was repaid leaving the exploiter with the profit of 144 $WBNB.


After the incident, the price of $BEVO token dropped by 99%.


The NFT space has grown in popularity in recent years, making it an attractive target for fraudulent actors. It is therefore crucial to conduct due diligence on the authenticity of NFT projects because of the prevalence of scams in the industry. Failure to do so could result in a financial loss, so when evaluating NFT projects, it is critical to be vigilant and cautious.

We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with BEVO NFT Art token had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Sources PeckShield, BlockSec