Liyi Zhou,Arthur Gervais,Stefanos Chaliasos,Jens Ernstberger,Ye Wang,R. Wattenhofer,Xihan Xiong,D. Song,Zhipeng Wang,Kaihua Qin

DOI: https://doi.org/10.1109/SP46215.2023.10179435

2022-08-27

Abstract:Within just four years, the blockchain-based Decentralized Finance (DeFi) ecosystem has accumulated a peak total value locked (TVL) of more than 253 billion USD. This surge in DeFi’s popularity has, unfortunately, been accompanied by many impactful incidents. According to our data, users, liquidity providers, speculators, and protocol operators suffered a total loss of at least 3.24 billion USD from Apr 30, 2018 to Apr 30, 2022. Given the blockchain’s transparency and increasing incident frequency, two questions arise: How can we systematically measure, evaluate, and compare DeFi incidents? How can we learn from past attacks to strengthen DeFi security?In this paper, we introduce a common reference frame to systematically evaluate and compare DeFi incidents, including both attacks and accidents. We investigate 77 academic papers, 30 audit reports, and 181 real-world incidents. Our data reveals several gaps between academia and the practitioners’ community. For example, few academic papers address "price oracle attacks" and "permissonless interactions", while our data suggests that they are the two most frequent incident types (15% and 10.5% correspondingly). We also investigate potential defenses, and find that: (i) 103 (56%) of the attacks are not executed atomically, granting a rescue time frame for defenders; (ii) bytecode similarity analysis can at least detect 31 vulnerable/23 adversarial contracts; and (iii) 33 (15.3%) of the adversaries leak potentially identifiable information by interacting with centralized exchanges.

Economics,Business,Computer Science

Siwei Wu,Zhou Yu,Dabao Wang,Yajin Zhou,Lei Wu,Haoyu Wang,Xingliang Yuan

DOI: https://doi.org/10.1109/tdsc.2023.3346888

2024-01-01

Abstract:The rapid growth of Decentralized Finance (DeFi) boosts the blockchain ecosystem. At the same time, attacks on DeFi applications (apps) are increasing. However, to the best of our knowledge, existing smart contract vulnerability detection tools cannot directly detect DeFi attacks. That's because they lack the capability to recover and understand high-level DeFi semantics, e.g., a user trades a token pair X and Y in a Decentralized EXchange (DEX). In this work, we focus on the detection of two new types of price manipulation attacks. To this end, we propose a platform-independent method to identify high-level DeFi semantics. Specifically, we first construct the Cash Flow Tree (CFT) from a raw transaction and then lifting the low-level semantics to high-level ones, including five advanced DeFi actions. Finally, we use patterns expressed with the recovered DeFi semantics to detect price manipulation attacks. We implemented a prototype named DeFiRanger that detected 14 zero-day security incidents. These findings were reported to affected parties or/and the community for the first time. Furthermore, the backtest experiment discovered 15 unknown historical security incidents. We further performed an attack analysis to shed light on the root causes of vulnerabilities incurring price manipulation attacks.

Wenkai Li,Jiuyang Bu,Xiaoqi Li,Hongli Peng,Yuanzheng Niu,Yuqing Zhang

DOI: https://doi.org/10.1016/j.jksuci.2022.10.028

2022-10-26

Abstract:DeFi, or Decentralized Finance, is based on a distributed ledger called blockchain technology. Using blockchain, DeFi may customize the execution of predetermined operations between parties. The DeFi system use blockchain technology to execute user transactions, such as lending and exchanging. The total value locked in DeFi decreased from \$200 billion in April 2022 to \$80 billion in July 2022, indicating that security in this area remained problematic. In this paper, we address the deficiency in DeFi security studies. To our best knowledge, our paper is the first to make a systematic analysis of DeFi security. First, we summarize the DeFi-related vulnerabilities in each blockchain layer. Additionally, application-level vulnerabilities are also analyzed. Then we classify and analyze real-world DeFi attacks based on the principles that correlate to the vulnerabilities. In addition, we collect optimization strategies from the data, network, consensus, smart contract, and application layers. And then, we describe the weaknesses and technical approaches they address. On the basis of this comprehensive analysis, we summarize several challenges and possible future directions in DeFi to offer ideas for further research.

Cryptography and Security

Wenkai Li,Jiuyang Bu,Xiaoqi Li,Xianyi Chen

DOI: https://doi.org/10.48550/arXiv.2205.09524

2022-05-19

Abstract:Decentralized finance (DeFi) in Ethereum is a financial ecosystem built on the blockchain that has locked over 200 billion USD until April 2022. All transaction information is transparent and open when transacting through the DeFi protocol, which has led to a series of attacks. Several studies have attempted to optimize it from both economic and technical perspectives. However, few works analyze the vulnerabilities and optimizations of the entire DeFi system. In this paper, we first systematically analyze vulnerabilities related to DeFi in Ethereum at several levels, then we investigate real-world attacks. Finally, we summarize the achievements of DeFi optimization and provide some future directions.

Cryptography and Security

Peng Qian,Rui Cao,Zhenguang Liu,Wenqing Li,Ming Li,Lun Zhang,Yufeng Xu,Jianhai Chen,Qinming He

DOI: https://doi.org/10.48550/arXiv.2309.02391

2023-09-07

Abstract:Decentralized Finance (DeFi) is emerging as a peer-to-peer financial ecosystem, enabling participants to trade products on a permissionless blockchain. Built on blockchain and smart contracts, the DeFi ecosystem has experienced explosive growth in recent years. Unfortunately, smart contracts hold a massive amount of value, making them an attractive target for attacks. So far, attacks against smart contracts and DeFi protocols have resulted in billions of dollars in financial losses, severely threatening the security of the entire DeFi ecosystem. Researchers have proposed various security tools for smart contracts and DeFi protocols as countermeasures. However, a comprehensive investigation of these efforts is still lacking, leaving a crucial gap in our understanding of how to enhance the security posture of the smart contract and DeFi landscape. To fill the gap, this paper reviews the progress made in the field of smart contract and DeFi security from the perspective of both vulnerability detection and automated repair. First, we analyze the DeFi smart contract security issues and challenges. Specifically, we lucubrate various DeFi attack incidents and summarize the attacks into six categories. Then, we present an empirical study of 42 state-of-the-art techniques that can detect smart contract and DeFi vulnerabilities. In particular, we evaluate the effectiveness of traditional smart contract bug detection tools in analyzing complex DeFi protocols. Additionally, we investigate 8 existing automated repair tools for smart contracts and DeFi protocols, providing insight into their advantages and disadvantages. To make this work useful for as wide of an audience as possible, we also identify several open issues and challenges in the DeFi ecosystem that should be addressed in the future.

Cryptography and Security,Software Engineering

Mingyi Liu,Jun Ho Huh,HyungSeok Han,Jaehyuk Lee,Jihae Ahn,Frank Li,Hyoungshick Kim,Taesoo Kim

2024-06-22

Abstract:Decentralized Finance (DeFi) offers a whole new investment experience and has quickly emerged as an enticing alternative to Centralized Finance (CeFi). Rapidly growing market size and active users, however, have also made DeFi a lucrative target for scams and hacks, with 1.95 billion USD lost in 2023. Unfortunately, no prior research thoroughly investigates DeFi users' security risk awareness levels and the adequacy of their risk mitigation strategies. Based on a semi-structured interview study (N = 14) and a follow-up survey (N = 493), this paper investigates DeFi users' security perceptions and commonly adopted practices, and how those affected by previous scams or hacks (DeFi victims) respond and try to recover their losses. Our analysis shows that users often prefer DeFi over CeFi due to their decentralized nature and strong profitability. Despite being aware that DeFi, compared to CeFi, is prone to more severe attacks, users are willing to take those risks to explore new investment opportunities. Worryingly, most victims do not learn from previous experiences; unlike victims studied through traditional systems, DeFi victims tend to find new services, without revising their security practices, to recover their losses quickly. The abundance of various DeFi services and opportunities allows victims to continuously explore new financial opportunities, and this reality seems to cloud their security priorities. Indeed, our results indicate that DeFi users' strong financial motivations outweigh their security concerns - much like those who are addicted to gambling. Our observations about victims' post-incident behaviors suggest that stronger control in the form of industry regulations would be necessary to protect DeFi users from future breaches.

Cryptography and Security

Shunfan Zhou,Zhemin Yang,Jie Xiang,Yinzhi Cao,Min Yang,Yuan Zhang

2020-01-01

Abstract:Smart contract security has drawn much attention due to many severe incidents with huge ether and token losses. As a consequence, researchers have proposed to detect smart contract vulnerabilities via code analysis. However, code analysis only shows what contracts can be attacked, but not what have been attacked, and more importantly, what attacks have been prevented in the real world. In this paper, we present the first comprehensive measurement study to analyze real-world attacks and defenses adopted in the wild based on the transaction logs produced by uninstrumented Ethereum Virtual Machine (EVM). Specifically, our study decouples two important factors of an adversarial transaction--i.e., (i) an adversarial action exploiting the vulnerable contract and (ii) an adversarial consequence like ether or token transfers resulted from the action--for the analysis of attacks and defenses. The results of our study reveal a huge volume of attacks beyond what have been studied in the literature, e.g., those targeting new vulnerability types like airdrop hunting and those targeting zero-day variants of known vulnerabilities. Besides successful attacks, our study also shows attempted attacks that are prevented due to the deployments of defenses. As the nature of cyber-security, those defenses have also been evaded, mainly due to incomplete defense deployments. To summarize it, we believe that this is an ever-evolving game between adversaries obtaining illegal profits and defenders shielding their own contracts.

Bin Wang,Han Liu,Chao Liu,Zhiqiang Yang,Qian Ren,Huixuan Zheng,Hong Lei

DOI: https://doi.org/10.48550/arXiv.2103.02873

2021-03-04

Abstract:Decentralized finance, i.e., DeFi, has become the most popular type of application on many public blockchains (e.g., Ethereum) in recent years. Compared to the traditional finance, DeFi allows customers to flexibly participate in diverse blockchain financial services (e.g., lending, borrowing, collateralizing, exchanging etc.) via smart contracts at a relatively low cost of trust. However, the open nature of DeFi inevitably introduces a large attack surface, which is a severe threat to the security of participants funds. In this paper, we proposed BLOCKEYE, a real-time attack detection system for DeFi projects on the Ethereum blockchain. Key capabilities provided by BLOCKEYE are twofold: (1) Potentially vulnerable DeFi projects are identified based on an automatic security analysis process, which performs symbolic reasoning on the data flow of important service states, e.g., asset price, and checks whether they can be externally manipulated. (2) Then, a transaction monitor is installed offchain for a vulnerable DeFi project. Transactions sent not only to that project but other associated projects as well are collected for further security analysis. A potential attack is flagged if a violation is detected on a critical invariant configured in BLOCKEYE, e.g., Benefit is achieved within a very short time and way much bigger than the cost. We applied BLOCKEYE in several popular DeFi projects and managed to discover potential security attacks that are unreported before. A video of BLOCKEYE is available at <a class="link-external link-https" href="https://youtu.be/7DjsWBLdlQU" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Computers and Society

Stefanos Chaliasos,Marcos Antonios Charalambous,Liyi Zhou,Rafaila Galanopoulou,Arthur Gervais,Dimitris Mitropoulos,Ben Livshits

DOI: https://doi.org/10.1145/3597503.3623302

2024-01-22

Abstract:The growth of the decentralized finance (DeFi) ecosystem built on blockchain technology and smart contracts has led to an increased demand for secure and reliable smart contract development. However, attacks targeting smart contracts are increasing, causing an estimated \$6.45 billion in financial losses. Researchers have proposed various automated security tools to detect vulnerabilities, but their real-world impact remains uncertain. In this paper, we aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks, and their overall usage within the industry. Our comprehensive study encompasses an evaluation of five SoTA automated security tools, an analysis of 127 high-impact real-world attacks resulting in \$2.3 billion in losses, and a survey of 49 developers and auditors working in leading DeFi protocols. Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to \$149 million out of the \$2.3 billion in losses. Notably, all preventable attacks were related to reentrancy vulnerabilities. Furthermore, practitioners distinguish logic-related bugs and protocol layer vulnerabilities as significant threats that are not adequately addressed by existing security tools. Our results emphasize the need to develop specialized tools catering to the distinct demands and expectations of developers and auditors. Further, our study highlights the necessity for continuous advancements in security tools to effectively tackle the ever-evolving challenges confronting the DeFi ecosystem.

Cryptography and Security,Software Engineering

Weilin Li,Zhun Wang,Chenyu Li,Heying Chen,Taiyu Wong,Pengyu Sun,Yufei Yu,Chao Zhang

2023-10-02

Abstract:The rapid growth and adoption of decentralized finance (DeFi) systems have been accompanied by various threats, notably those emerging from vulnerabilities in their intricate design. In our work, we introduce and define an attack strategy termed as Role-Play Attack, in which the attacker acts as multiple roles concurrently to exploit the DeFi system and cause substantial financial losses. We provide a formal definition of this strategy and demonstrate its potential impacts by revealing the total loss of \$435.1M caused by 14 historical attacks with applying this pattern. Besides, we mathematically analyzed the attacks with top 2 losses and retrofitted the corresponding attack pattern by concrete execution, indicating that this strategy could increase the potential profit for original attacks by \$3.34M (51.4%) and \$3.76M (12.0%), respectively.

Cryptography and Security

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Hongbo Wen,Hanzhi Liu,Jiaxin Song,Yanju Chen,Wenbo Guo,Yu Feng

DOI: https://doi.org/10.1145/3658644.3690293

2024-08-31

Abstract:Blockchain adoption has surged with the rise of Decentralized Finance (DeFi) applications. However, the significant value of digital assets managed by DeFi protocols makes them prime targets for attacks. Current smart contract vulnerability detection tools struggle with DeFi protocols due to deep logical bugs arising from complex financial interactions between multiple smart contracts. These tools primarily analyze individual contracts and resort to brute-force methods for DeFi protocols crossing numerous smart contracts, leading to inefficiency. We introduce Foray, a highly effective attack synthesis framework against deep logical bugs in DeFi protocols. Foray proposes a novel attack sketch generation and completion framework. Specifically, instead of treating DeFis as regular programs, we design a domain-specific language (DSL) to lift the low-level smart contracts into their high-level financial operations. Based on our DSL, we first compile a given DeFi protocol into a token flow graph, our graphical representation of DeFi protocols. Then, we design an efficient sketch generation method to synthesize attack sketches for a certain attack goal (e.g., price manipulation, arbitrage, etc.). This algorithm strategically identifies candidate sketches by finding reachable paths in TFG, which is much more efficient than random enumeration. For each candidate sketch written in our DSL, Foray designs a domain-specific symbolic compilation to compile it into SMT constraints. Our compilation simplifies the constraints by removing redundant smart contract semantics. It maintains the usability of symbolic compilation, yet scales to problems orders of magnitude larger. Finally, the candidates are completed via existing solvers and are transformed into concrete attacks via direct syntax transformation.

Cryptography and Security,Programming Languages

Catherine Carpentier-Desjardins,Masarah Paquet-Clouston,Stefan Kitzler,Bernhard Haslhofer

2024-10-30

Abstract:Decentralized finance (DeFi) has been the target of numerous profit-driven crimes, but the prevalence and cumulative impact of these crimes have not yet been assessed. This study provides a comprehensive assessment of profit-driven crimes targeting the DeFi sector. We collected data on 1153 crime events from 2017 to 2022. Of these, 1,048 were related to DeFi (the main focus of this study) and 105 to centralized finance (CeFi). The findings show that the entire cryptoasset industry has suffered a minimum loss of US$30B, with two thirds related to CeFi and one third to DeFi. Focusing on DeFi, a taxonomy was developed to clarify the similarities and differences among these crimes. All events were mapped onto the DeFi stack to assess the impacted technical layers, and the financial damages were quantified to gauge their scale. The results highlight that during an attack, a DeFi actor (an entity developing a DeFi technology) can serve as a direct target (due to technical vulnerabilities or exploitation of human risks), as a perpetrator (through malicious uses of contracts or market manipulations), or as an intermediary (by being imitated through, for example, phishing scams). The findings also show that DeFi actors are the first victims of crimes targeting the DeFi industry: 52.2% of events targeted them, primarily due to technical vulnerabilities at the protocol layer, and these events accounted for 83% of all financial damages. Alternatively, in 40.7% of events, DeFi actors were themselves malicious perpetrators, predominantly misusing contracts at the cryptoasset layer (e.g., rug pull scams). However, these events accounted for only 17% of all financial damages. The study offers a preliminary assessment of the size and scope of crime events within the DeFi sector and highlights the vulnerable position of DeFi actors in the ecosystem.

Cryptography and Security,Computers and Society

Fan Zhang,Patrick McCorry

DOI: https://doi.org/10.1145/3548606.3563431

2022-11-07

Abstract:Powered by blockchains, Decentralized Finance (DeFi) has grown to a significant economy covering exchanges, borrowing/lending, margin trading, derivatives, and more. While DeFi systems are gaining significant traction (e.g., they already manage tens of billions of dollars worth of assets), making them secure has proven exceptionally challenging---a staggering $1.9 billion was stolen in various hacks in the first seven months of 2022 alone.[4] The challenge faced by the research community is twofold. First, DeFi gives rise to new security problems (such as MEV) that existing methods cannot effectively address. Second, understanding DeFi and its security and privacy implications requires knowledge from a wide range of subjects, such as consensus, game theory, programming language, economics, politics, etc. The goal of this workshop is to bring together researchers from many different fields to jointly advance the understanding of DeFi security and develop new methods and solutions leveraging the interdisciplinary expertise of the community.

Business,Computer Science

Erya Jiang,Bo Qin,Qin Wang,Zhipeng Wang,Qianhong Wu,Jian Weng,Xinyu Li,Chenyang Wang,Yuhang Ding,Yanran Zhang

DOI: https://doi.org/10.48550/arXiv.2308.05282

2023-12-01

Abstract:Decentralized Finance (DeFi) is a new paradigm in the creation, distribution, and utilization of financial services via the integration of blockchain technology. Our research conducts a comprehensive introduction and meticulous classification of various DeFi applications. Beyond that, we thoroughly analyze these risks from both technical and economic perspectives, spanning multiple layers. We point out research gaps and revenues, covering technical advancements, innovative economics, and sociology and ecology optimization.

Cryptography and Security

Ayana T Aspembitova,Michael A Bentley

DOI: https://doi.org/10.3390/e25010060

2022-12-28

Abstract:Decentralized finance (DeFi) is by far the most popular application of blockchain technology. Despite the wide acceptance of new financial instruments and services, there are still many unexplored areas in the field. We dedicate this research to the understanding of one of the most crucial limitations of decentralized finance-oracles. DeFi protocols, as well as other blockchain applications, function in a closed environment and regularly need to fetch real-world information (e.g., assets' prices)-the tool used for this purpose is called an oracle. We review the existing oracle types in DeFi applications and focus our research on the least explored one: when another protocol, typically a decentralized exchange, serves as a price oracle. After explaining the mechanisms behind the decentralized exchanges, we introduce an algorithmic model that allows one to safely design a decentralized oracle and adjust crucial parameters. We believe that understanding and implementing the logic presented in the model can help to reduce the chances of price manipulations attacks, which are the most frequent incident types in DeFi.

Fan Zhang,Kaihua Qin

DOI: https://doi.org/10.1145/3576915.3624026

2023-11-15

Abstract:Decentralized Finance (DeFi) heralds a transformative moment in the realm of finance, challenging traditional intermediaries with a blockchain-centric blueprint. As DeFi burgeons, the intricate dance between its evolution and security emerges as an area of pivotal significance. This workshop navigates the multifaceted landscape of DeFi, where inherent challenges intertwine with new vulnerabilities, emphasizing the necessity for vigilant evaluations and adaptive measures to ensure the integrity of the ecosystem. It further delves into the ripple effects of regulatory scrutiny and its subsequent influence on DeFi's security matrix. As we stand on the cusp of uncharted territories, the workshop aims to provide a comprehensive discourse on DeFi's security challenges, fortified by interdisciplinary expertise, inviting participants to explore, ideate, and collaboratively forge a path towards a robust and secure DeFi paradigm.

Economics,Business,Political Science,Computer Science

Rainer Feichtinger,Robin Fritsch,Lioba Heimbach,Yann Vonlanthen,Roger Wattenhofer

2024-08-07

Abstract:Decentralized Autonomous Organizations (DAOs) are blockchain-based organizations that facilitate decentralized governance. Today, DAOs not only hold billions of dollars in their treasury but also govern many of the most popular Decentralized Finance (DeFi) protocols. This paper systematically analyses security threats to DAOs, focusing on the types of attacks they face. We study attacks on DAOs that took place in the past, attacks that have been theorized to be possible, and potential attacks that were uncovered and prevented in audits. For each of these (potential) attacks, we describe and categorize the attack vectors utilized into four categories. This reveals that while many attacks on DAOs take advantage of the less tangible and more complex human nature involved in governance, audits tend to focus on code and protocol vulnerabilities. Thus, additionally, the paper examines empirical data on DAO vulnerabilities, outlines risk factors contributing to these attacks, and suggests mitigation strategies to safeguard against such vulnerabilities.

Cryptography and Security,Computers and Society

Haotian Lu,Xuetao Wei,Ziwei Wang

DOI: https://doi.org/10.1109/MetaCom57706.2023.00074

2023-06-01

Abstract:Decentralized Finance (DeFi) has been gaining rising importance due to advanced blockchain technology and web3.0. Consequently, many decentralized finance applications (DeFi apps) have emerged, which aim to reconstruct traditional finance and provide financial services with decentralization, transparency, and autonomy. To better understand the characteristics of DeFi apps in this rapidly evolving era, in this paper, we propose to profile DeFi apps based on 666 rigorously classified DeFi apps from a multi-layer perspective, which includes the transaction layer, token layer, and value layer. Our research provides insight into the multiple layers of DeFi apps, including both the breadth and the depth of current transactions, the degree to which apps are interconnected at the level of value flow, and an initial investigation into the relationship between whale trading and market crashes, which better help DeFi app developers with app design, performance evaluation, and optimization.

Computer Science,Business

Wenkai Li,Xiaoqi Li,Yuqing Zhang,Zongwei Li

2024-05-18

Abstract:Decentralized finance (DeFi) protocols are crypto projects developed on the blockchain to manage digital assets. Attacks on DeFi have been frequent and have resulted in losses exceeding \$77 billion. However, detection methods for malicious DeFi events are still lacking. In this paper, we propose DeFiTail, the first framework that utilizes deep learning to detect access control and flash loan exploits that may occur on DeFi. Since the DeFi protocol events involve invocations with multi-account transactions, which requires execution path unification with different contracts. Moreover, to mitigate the impact of mistakes in Control Flow Graph (CFG) connections, we validate the data path by employing the symbolic execution stack. Furthermore, we feed the data paths through our model to achieve the inspection of DeFi protocols. Experimental results indicate that DeFiTail achieves the highest accuracy, with 98.39% in access control and 97.43% in flash loan exploits. DeFiTail also demonstrates an enhanced capability to detect malicious contracts, identifying 86.67% accuracy from the CVE dataset.

Cryptography and Security