Wenkai Li,Jiuyang Bu,Xiaoqi Li,Hongli Peng,Yuanzheng Niu,Yuqing Zhang

DOI: https://doi.org/10.1016/j.jksuci.2022.10.028

2022-10-26

Abstract:DeFi, or Decentralized Finance, is based on a distributed ledger called blockchain technology. Using blockchain, DeFi may customize the execution of predetermined operations between parties. The DeFi system use blockchain technology to execute user transactions, such as lending and exchanging. The total value locked in DeFi decreased from \$200 billion in April 2022 to \$80 billion in July 2022, indicating that security in this area remained problematic. In this paper, we address the deficiency in DeFi security studies. To our best knowledge, our paper is the first to make a systematic analysis of DeFi security. First, we summarize the DeFi-related vulnerabilities in each blockchain layer. Additionally, application-level vulnerabilities are also analyzed. Then we classify and analyze real-world DeFi attacks based on the principles that correlate to the vulnerabilities. In addition, we collect optimization strategies from the data, network, consensus, smart contract, and application layers. And then, we describe the weaknesses and technical approaches they address. On the basis of this comprehensive analysis, we summarize several challenges and possible future directions in DeFi to offer ideas for further research.

Cryptography and Security

Wenkai Li,Jiuyang Bu,Xiaoqi Li,Xianyi Chen

DOI: https://doi.org/10.48550/arXiv.2205.09524

2022-05-19

Abstract:Decentralized finance (DeFi) in Ethereum is a financial ecosystem built on the blockchain that has locked over 200 billion USD until April 2022. All transaction information is transparent and open when transacting through the DeFi protocol, which has led to a series of attacks. Several studies have attempted to optimize it from both economic and technical perspectives. However, few works analyze the vulnerabilities and optimizations of the entire DeFi system. In this paper, we first systematically analyze vulnerabilities related to DeFi in Ethereum at several levels, then we investigate real-world attacks. Finally, we summarize the achievements of DeFi optimization and provide some future directions.

Cryptography and Security

JIANG Peipei,WANG Qian,CHEN Yanjiao,LI Qi,SHEN Chao

DOI: https://doi.org/10.11959/j.issn.1000-436x.2021035

2021-01-01

Abstract:While the security of blockchain has been the central concern of both academia and industry since the very start, new security threats continue to emerge, which poses great risks to the blockchain ecosystem.A systematic study was conducted on the most state-of-the-art research on potential security issues of blockchain.Specifically, a taxonomy was developed by considering the blockchain framework as a four-layer system, and the analysis on the most recent attacks against security loopholes in each layer was provided.Countermeasures that can strengthen the blockchain were also discussed by highlighting their fundamental ideas and comparing different solutions.Finally, the forefront of research and potential directions of blockchain security were put forward to encourage further studies on the security of blockchain.

Peng Qian,Rui Cao,Zhenguang Liu,Wenqing Li,Ming Li,Lun Zhang,Yufeng Xu,Jianhai Chen,Qinming He

DOI: https://doi.org/10.48550/arXiv.2309.02391

2023-09-07

Abstract:Decentralized Finance (DeFi) is emerging as a peer-to-peer financial ecosystem, enabling participants to trade products on a permissionless blockchain. Built on blockchain and smart contracts, the DeFi ecosystem has experienced explosive growth in recent years. Unfortunately, smart contracts hold a massive amount of value, making them an attractive target for attacks. So far, attacks against smart contracts and DeFi protocols have resulted in billions of dollars in financial losses, severely threatening the security of the entire DeFi ecosystem. Researchers have proposed various security tools for smart contracts and DeFi protocols as countermeasures. However, a comprehensive investigation of these efforts is still lacking, leaving a crucial gap in our understanding of how to enhance the security posture of the smart contract and DeFi landscape. To fill the gap, this paper reviews the progress made in the field of smart contract and DeFi security from the perspective of both vulnerability detection and automated repair. First, we analyze the DeFi smart contract security issues and challenges. Specifically, we lucubrate various DeFi attack incidents and summarize the attacks into six categories. Then, we present an empirical study of 42 state-of-the-art techniques that can detect smart contract and DeFi vulnerabilities. In particular, we evaluate the effectiveness of traditional smart contract bug detection tools in analyzing complex DeFi protocols. Additionally, we investigate 8 existing automated repair tools for smart contracts and DeFi protocols, providing insight into their advantages and disadvantages. To make this work useful for as wide of an audience as possible, we also identify several open issues and challenges in the DeFi ecosystem that should be addressed in the future.

Cryptography and Security,Software Engineering

Fan Zhang,Kaihua Qin

DOI: https://doi.org/10.1145/3576915.3624026

2023-11-15

Abstract:Decentralized Finance (DeFi) heralds a transformative moment in the realm of finance, challenging traditional intermediaries with a blockchain-centric blueprint. As DeFi burgeons, the intricate dance between its evolution and security emerges as an area of pivotal significance. This workshop navigates the multifaceted landscape of DeFi, where inherent challenges intertwine with new vulnerabilities, emphasizing the necessity for vigilant evaluations and adaptive measures to ensure the integrity of the ecosystem. It further delves into the ripple effects of regulatory scrutiny and its subsequent influence on DeFi's security matrix. As we stand on the cusp of uncharted territories, the workshop aims to provide a comprehensive discourse on DeFi's security challenges, fortified by interdisciplinary expertise, inviting participants to explore, ideate, and collaboratively forge a path towards a robust and secure DeFi paradigm.

Economics,Business,Political Science,Computer Science

Liyi Zhou,Arthur Gervais,Stefanos Chaliasos,Jens Ernstberger,Ye Wang,R. Wattenhofer,Xihan Xiong,D. Song,Zhipeng Wang,Kaihua Qin

DOI: https://doi.org/10.1109/SP46215.2023.10179435

2022-08-27

Abstract:Within just four years, the blockchain-based Decentralized Finance (DeFi) ecosystem has accumulated a peak total value locked (TVL) of more than 253 billion USD. This surge in DeFi’s popularity has, unfortunately, been accompanied by many impactful incidents. According to our data, users, liquidity providers, speculators, and protocol operators suffered a total loss of at least 3.24 billion USD from Apr 30, 2018 to Apr 30, 2022. Given the blockchain’s transparency and increasing incident frequency, two questions arise: How can we systematically measure, evaluate, and compare DeFi incidents? How can we learn from past attacks to strengthen DeFi security?In this paper, we introduce a common reference frame to systematically evaluate and compare DeFi incidents, including both attacks and accidents. We investigate 77 academic papers, 30 audit reports, and 181 real-world incidents. Our data reveals several gaps between academia and the practitioners’ community. For example, few academic papers address "price oracle attacks" and "permissonless interactions", while our data suggests that they are the two most frequent incident types (15% and 10.5% correspondingly). We also investigate potential defenses, and find that: (i) 103 (56%) of the attacks are not executed atomically, granting a rescue time frame for defenders; (ii) bytecode similarity analysis can at least detect 31 vulnerable/23 adversarial contracts; and (iii) 33 (15.3%) of the adversaries leak potentially identifiable information by interacting with centralized exchanges.

Economics,Business,Computer Science

Dabao Wang,Hang Feng,Siwei Wu,Yajin Zhou,Lei Wu,Xingliang Yuan

DOI: https://doi.org/10.1145/3545948.3545963

2022-01-01

Abstract:The prosperity of decentralized finance motivates many investors to profit via trading their crypto assets on decentralized applications (DApps for short) of the Ethereum ecosystem. Apart from Ether (the native cryptocurrency of Ethereum), many ERC20 (a widely used token standard on Ethereum) tokens obtain vast market value in the ecosystem. Specifically, the approval mechanism is used to delegate the privilege of spending users’ tokens to DApps. By doing so, the DApps can transfer these tokens to arbitrary receivers on behalf of the users. To increase the usability, unlimited approval is commonly adopted by DApps to reduce the required interaction between them and their users. However, as shown in existing security incidents, this mechanism can be abused to steal users’ tokens. In this paper, we present the first systematic study to quantify the risk of unlimited approval of ERC20 tokens on Ethereum. Specifically, by evaluating existing transactions up to 31st July 2021, we find that unlimited approval is prevalent (60%, 15.2M/25.4M) in the ecosystem, and 22% of users have a high risk of their approved tokens for stealing. After that, we investigate the security issues that are involved in interacting with the UIs of 22 representative DApps and 9 famous wallets to prepare the approval transactions. The result reveals the worrisome fact that all DApps request unlimited approval from the front-end users and only 10% (3/31) of UIs provide explanatory information for the approval mechanism. Meanwhile, only 16% (5/31) of UIs allow users to modify their approval amounts. Finally, we take a further step to characterize the user behavior into five modes and formalize the good practice, i.e., on-demand approval and timely spending, towards securely spending approved tokens. However, the evaluation result suggests that only 0.2% of users follow the good practice to mitigate the risk. Our study sheds light on the risk of unlimited approval and provides suggestions to secure the approval mechanism of the ERC20 tokens on Ethereum.

Fan Zhang,Patrick McCorry

DOI: https://doi.org/10.1145/3548606.3563431

2022-11-07

Abstract:Powered by blockchains, Decentralized Finance (DeFi) has grown to a significant economy covering exchanges, borrowing/lending, margin trading, derivatives, and more. While DeFi systems are gaining significant traction (e.g., they already manage tens of billions of dollars worth of assets), making them secure has proven exceptionally challenging---a staggering $1.9 billion was stolen in various hacks in the first seven months of 2022 alone.[4] The challenge faced by the research community is twofold. First, DeFi gives rise to new security problems (such as MEV) that existing methods cannot effectively address. Second, understanding DeFi and its security and privacy implications requires knowledge from a wide range of subjects, such as consensus, game theory, programming language, economics, politics, etc. The goal of this workshop is to bring together researchers from many different fields to jointly advance the understanding of DeFi security and develop new methods and solutions leveraging the interdisciplinary expertise of the community.

Business,Computer Science

Erya Jiang,Bo Qin,Qin Wang,Zhipeng Wang,Qianhong Wu,Jian Weng,Xinyu Li,Chenyang Wang,Yuhang Ding,Yanran Zhang

DOI: https://doi.org/10.48550/arXiv.2308.05282

2023-12-01

Abstract:Decentralized Finance (DeFi) is a new paradigm in the creation, distribution, and utilization of financial services via the integration of blockchain technology. Our research conducts a comprehensive introduction and meticulous classification of various DeFi applications. Beyond that, we thoroughly analyze these risks from both technical and economic perspectives, spanning multiple layers. We point out research gaps and revenues, covering technical advancements, innovative economics, and sociology and ecology optimization.

Cryptography and Security

Fabian Schär

DOI: https://doi.org/10.2139/ssrn.3571335

2020-01-01

SSRN Electronic Journal

Abstract:This paper explores the Decentralized Finance (DeFi) ecosystem. We examine how DeFi is emerging on top of the public Ethereum smart contract platform, compare it to the centralized architecture of traditional financial markets and highlight opportunities and potential risks of this ecosystem. We propose a multi-layered framework to analyze the implicit architecture and the various DeFi building blocks, including token standards, decentralized exchanges, decentralized debt markets, blockchain derivatives and on-chain asset management protocols. We conclude that DeFi still is a niche market with certain risks, but also has interesting properties in terms of efficiency, transparency, accessibility and interoperability. As such, it may potentially contribute to a more robust and transparent financial infrastructure.

Mingyi Liu,Jun Ho Huh,HyungSeok Han,Jaehyuk Lee,Jihae Ahn,Frank Li,Hyoungshick Kim,Taesoo Kim

2024-06-22

Abstract:Decentralized Finance (DeFi) offers a whole new investment experience and has quickly emerged as an enticing alternative to Centralized Finance (CeFi). Rapidly growing market size and active users, however, have also made DeFi a lucrative target for scams and hacks, with 1.95 billion USD lost in 2023. Unfortunately, no prior research thoroughly investigates DeFi users' security risk awareness levels and the adequacy of their risk mitigation strategies. Based on a semi-structured interview study (N = 14) and a follow-up survey (N = 493), this paper investigates DeFi users' security perceptions and commonly adopted practices, and how those affected by previous scams or hacks (DeFi victims) respond and try to recover their losses. Our analysis shows that users often prefer DeFi over CeFi due to their decentralized nature and strong profitability. Despite being aware that DeFi, compared to CeFi, is prone to more severe attacks, users are willing to take those risks to explore new investment opportunities. Worryingly, most victims do not learn from previous experiences; unlike victims studied through traditional systems, DeFi victims tend to find new services, without revising their security practices, to recover their losses quickly. The abundance of various DeFi services and opportunities allows victims to continuously explore new financial opportunities, and this reality seems to cloud their security priorities. Indeed, our results indicate that DeFi users' strong financial motivations outweigh their security concerns - much like those who are addicted to gambling. Our observations about victims' post-incident behaviors suggest that stronger control in the form of industry regulations would be necessary to protect DeFi users from future breaches.

Cryptography and Security

Stefanos Chaliasos,Marcos Antonios Charalambous,Liyi Zhou,Rafaila Galanopoulou,Arthur Gervais,Dimitris Mitropoulos,Ben Livshits

DOI: https://doi.org/10.1145/3597503.3623302

2024-01-22

Abstract:The growth of the decentralized finance (DeFi) ecosystem built on blockchain technology and smart contracts has led to an increased demand for secure and reliable smart contract development. However, attacks targeting smart contracts are increasing, causing an estimated \$6.45 billion in financial losses. Researchers have proposed various automated security tools to detect vulnerabilities, but their real-world impact remains uncertain. In this paper, we aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks, and their overall usage within the industry. Our comprehensive study encompasses an evaluation of five SoTA automated security tools, an analysis of 127 high-impact real-world attacks resulting in \$2.3 billion in losses, and a survey of 49 developers and auditors working in leading DeFi protocols. Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to \$149 million out of the \$2.3 billion in losses. Notably, all preventable attacks were related to reentrancy vulnerabilities. Furthermore, practitioners distinguish logic-related bugs and protocol layer vulnerabilities as significant threats that are not adequately addressed by existing security tools. Our results emphasize the need to develop specialized tools catering to the distinct demands and expectations of developers and auditors. Further, our study highlights the necessity for continuous advancements in security tools to effectively tackle the ever-evolving challenges confronting the DeFi ecosystem.

Cryptography and Security,Software Engineering

Hendrik Amler,Lisa Eckey,Sebastian Faust,Marcel Kaiser,Philipp Sandner,Benjamin Schlosser

DOI: https://doi.org/10.48550/arXiv.2101.05589

2021-01-14

Abstract:The decentralized and trustless nature of cryptocurrencies and blockchain technology leads to a shift in the digital world. The possibility to execute small programs, called smart contracts, on cryptocurrencies like Ethereum opened doors to countless new applications. One particular exciting use case is decentralized finance (DeFi), which aims to revolutionize traditional financial services by founding them on a decentralized infrastructure. We show the potential of DeFi by analyzing its advantages compared to traditional finance. Additionally, we survey the state-of-the-art of DeFi products and categorize existing services. Since DeFi is still in its infancy, there are countless hurdles for mass adoption. We discuss the most prominent challenges and point out possible solutions. Finally, we analyze the economics behind DeFi products. By carefully analyzing the state-of-the-art and discussing current challenges, we give a perspective on how the DeFi space might develop in the near future.

Cryptography and Security

Ravi Kashyap

2023-11-20

Abstract:The primary innovation we pioneer -- focused on blockchain information security -- is called the Safe-House. The Safe-House is badly needed since there are many ongoing hacks and security concerns in the DeFi space right now. The Safe-House is a piece of engineering sophistication that utilizes existing blockchain principles to bring about greater security when customer assets are moved around. The Safe-House logic is easily implemented as smart contracts on any decentralized system. The amount of funds at risk from both internal and external parties -- and hence the maximum one time loss -- is guaranteed to stay within the specified limits based on cryptographic fundamentals. To improve the safety of the Safe-House even further, we adapt the one time password (OPT) concept to operate using blockchain technology. Well suited to blockchain cryptographic nuances, our secondary advancement can be termed the one time next time password (OTNTP) mechanism. The OTNTP is designed to complement the Safe-House making it even more safe. We provide a detailed threat assessment model -- discussing the risks faced by DeFi protocols and the specific risks that apply to blockchain fund management -- and give technical arguments regarding how these threats can be overcome in a robust manner. We discuss how the Safe-House can participate with other external yield generation protocols in a secure way. We provide reasons for why the Safe-House increases safety without sacrificing the efficiency of operation. We start with a high level intuitive description of the landscape, the corresponding problems and our solutions. We then supplement this overview with detailed discussions including the corresponding mathematical formulations and pointers for technological implementation. This approach ensures that the article is accessible to a broad audience.

Cryptography and Security,Computational Engineering, Finance, and Science,Computers and Society,Portfolio Management,Risk Management

Dongming Xiang,Yuanchang Lin,Liming Nie,Yaowen Zheng,Zhengzi Xu,Zuohua Ding,Yang Liu

DOI: https://doi.org/10.1007/s10664-024-10447-7

IF: 3.762

2024-02-24

Empirical Software Engineering

Abstract:Decentralized Finance (DeFi) offers users decentralized financial services that are associated with the security of their assets. If DeFi is attacked, it could lead to considerable losses. Unfortunately, there is a lack of research on how DeFi developers respond to attacks during the development process. This lack of knowledge makes it difficult to identify which attacks to protect against and to create a comprehensive attack response system. This paper presents an empirical study to understand the current state of developers' response to attacks during the development process. In addition, we conduct an analytical framework to help developers take preventive measures against attacks. Our research has revealed that Overflow Attack-related events are the most frequent (63, 19.75% of all attack-related events), and high-value DeFi projects tend to have more feedback and active development activities. We have observed that most of the attack instances (61, 85.92%) do not have corresponding attack-related development events, which can lead to a lack of trust between project teams and users if it is unclear whether the team responds to attacks. Furthermore, we have noticed that after the resolution of the same attack-related event, some attacks may recur, even though they could have been prevented. Consequently, we suggest some future research directions and provide some advice for DeFi project developers.

computer science, software engineering

Francesca Carapella,Edward Dumas,Jacob Gerszten,Nathan Swem,Larry Wall

DOI: https://doi.org/10.17016/feds.2022.057

2022-08-30

Finance and Economics Discussion Series

Abstract:Decentralized finance (DeFi) refers to a set of newly emerging financial products and services that operate on decentralized platforms using blockchains to record and share data. DeFi products and services are conducted without a trusted central intermediary such as a bank, and they include payments, lending and borrowing, trading and investments, capital raising (crowdfunding), and insurance. An important innovation that allowed for the development of DeFi was the growth of programming capability on blockchains. This innovation allows for the creation of computer code called smart contracts that can be invoked by users without going through a centralized intermediary. DeFi may pose financial stability risks, that are exacerbated by the fact that both are currently largely outside the prudential regulatory perimeter, which we discuss.

Olawale Adisa,Bamidele Segun Ilugbusi,Ogugua Chimezie Obi,Kehinde Feranmi Awonuga,Odunayo Adewunmi Adelekan,Onyeka Franca Asuzu,Ndubuisi Leonard Ndubuisi

DOI: https://doi.org/10.30574/wjarr.2024.21.1.0321

2024-01-30

World Journal of Advanced Research and Reviews

Abstract:This study provides a comprehensive analysis of Decentralized Finance (DeFi) within the U.S. economy, focusing on its rise, challenges, and implications. The primary objective is to unravel the concept of DeFi, delineate its role in the U.S. financial landscape, and explore its historical evolution from traditional to blockchain-based finance. Employing a systematic literature review and content analysis, the study synthesizes data from academic journals, industry reports, and regulatory publications. The methodology involves a meticulous selection process, adhering to specific inclusion and exclusion criteria to ensure the relevance and quality of the literature. Key findings reveal that DeFi, underpinned by blockchain technology and smart contracts, offers innovative financial services, enhancing inclusivity and efficiency. However, it faces challenges such as regulatory uncertainties, security concerns, and scalability issues. The study highlights the significant impact of DeFi on the U.S. economy, including technological advancements, economic integration, and regulatory shifts. It also underscores the implications for various stakeholders, including investors, institutions, and regulators. The future landscape of DeFi is poised for growth, marked by technological innovations and potential integration with traditional financial systems. The study concludes with recommendations for industry stakeholders and policymakers, emphasizing the need for clear regulatory frameworks, enhanced security protocols, and consumer education. Future research directions include exploring DeFi's integration with emerging technologies and its role in addressing global financial challenges. This study contributes to the academic discourse on DeFi and offers insights for policymakers, investors, and financial institutions navigating this evolving landscape.

Raphael Auer,Bernhard Haslhofer,Stefan Kitzler,Pietro Saggese,Friedhelm Victor

DOI: https://doi.org/10.1007/s42521-023-00088-8

2023-08-01

Digital Finance

Abstract:Decentralized Finance (DeFi) is a new financial paradigm that leverages distributed ledger technologies to offer services such as lending, investing, or exchanging cryptoassets without relying on traditional centralized intermediaries. A range of DeFi protocols implements these services as a suite of smart contracts, i.e., software programs that encode the logic of conventional financial operations. Instead of transacting with a counterparty, DeFi users interact with software programs that pool the resources of other DeFi users. DeFi’s programmable and automated technology could foster efficiency and increase transparency. However, it exposes users to idiosyncratic risks, such as smart contract vulnerabilities and complex protocol interoperability. This paper provides a deep dive into the overall architecture, the technical primitives, and the financial functionalities of DeFi protocols. We analyze and explain the individual components and how they interact through the lens of a DeFi stack reference (DSR) model featuring three layers: settlement, applications and interfaces. We discuss the technical aspects of each layer of the DSR model. Then, we describe the financial services for the most relevant DeFi categories, i.e., decentralized exchanges, lending protocols, derivatives protocols and aggregators. The latter exploit the property that smart contracts can be “composed,” i.e., utilize the functionalities of other protocols to provide novel financial services. We discuss how composability allows complex financial products to be assembled, which could have applications in the traditional financial industry. We discuss potential sources of systemic risk and conclude by mapping out an agenda for research in this area.

Carlos J. Costa

2024-12-02

Abstract:This paper investigates the evolving landscape of decentralized finance (DeFi) by examining its foundational concepts, research trends, and ecosystem. A bibliometric analysis was conducted to identify thematic clusters and track the evolution of DeFi research. Additionally, a thematic review was performed to analyze the roles and interactions of key participants within the DeFi ecosystem, focusing on its opportunities and inherent risks. The bibliometric analysis identified a progression in research priorities, transitioning from an initial focus on technological innovation to addressing sustainability, environmental impacts, and regulatory challenges. Key thematic clusters include decentralization, smart contracts, tokenization, and sustainability concerns. The analysis of participants highlighted the roles of developers, liquidity providers, auditors, and regulators while identifying critical risks such as smart contract vulnerabilities, liquidity constraints, and regulatory uncertainties. The study underlines the transformative potential of DeFi to enhance financial inclusion and transparency while emphasizing the need for robust security frameworks and regulatory oversight to ensure long-term stability. This paper comprehensively explains the DeFi ecosystem by integrating bibliometric and thematic analyses. It offers valuable insights for researchers, practitioners, and policymakers, contributing to the ongoing discourse on the sustainable development and integration of DeFi into the global financial system.

Computational Engineering, Finance, and Science

Wei Ma,Chenguang Zhu,Ye Liu,Xiaofei Xie,Yi Li

2024-01-11

Abstract:Decentralized Finance (DeFi) is a prominent application of smart contracts, representing a novel financial paradigm in contrast to centralized finance. While DeFi applications are rapidly emerging on mainstream blockchain platforms, their quality varies greatly, presenting numerous challenges, particularly in terms of their governance mechanisms. In this paper, we present a comprehensive study of governance issues in DeFi applications. Drawing upon insights from industry reports and academic research articles, we develop a taxonomy to categorize these governance issues. We collect and build a dataset of 4,446 audit reports from 17 Web3 security companies, categorizing their governance issues according to our constructed taxonomy. We conducted a thorough analysis of governance issues and identified vulnerabilities in governance design and implementation, e.g., voting sybil attack and proposal front-running. Our findings highlight a significant observation: the disparity between smart contract code and DeFi whitepapers plays a central role in these governance issues. As an initial step to address the challenges of code-whitepaper consistency checks for DeFi applications, we built a machine-learning-based prototype, and validated its performance on eight widely used DeFi projects, achieving a 56.14% F1 score and a 80% recall. Our study culminates in providing several key practical implications for various DeFi stakeholders, including developers, users, researchers, and regulators, aiming to deepen the understanding of DeFi governance issues and contribute to the robust growth of DeFi systems.

Software Engineering