300 research outputs found
A Survey of DeFi Security: Challenges and Opportunities
DeFi, or Decentralized Finance, is based on a distributed ledger called
blockchain technology. Using blockchain, DeFi may customize the execution of
predetermined operations between parties. The DeFi system use blockchain
technology to execute user transactions, such as lending and exchanging. The
total value locked in DeFi decreased from \$200 billion in April 2022 to \$80
billion in July 2022, indicating that security in this area remained
problematic. In this paper, we address the deficiency in DeFi security studies.
To our best knowledge, our paper is the first to make a systematic analysis of
DeFi security. First, we summarize the DeFi-related vulnerabilities in each
blockchain layer. Additionally, application-level vulnerabilities are also
analyzed. Then we classify and analyze real-world DeFi attacks based on the
principles that correlate to the vulnerabilities. In addition, we collect
optimization strategies from the data, network, consensus, smart contract, and
application layers. And then, we describe the weaknesses and technical
approaches they address. On the basis of this comprehensive analysis, we
summarize several challenges and possible future directions in DeFi to offer
ideas for further research
SoK: Decentralized Finance (DeFi) Attacks
Within just four years, the blockchain-based Decentralized Finance (DeFi)
ecosystem has accumulated a peak total value locked (TVL) of more than 253
billion USD. This surge in DeFi's popularity has, unfortunately, been
accompanied by many impactful incidents. According to our data, users,
liquidity providers, speculators, and protocol operators suffered a total loss
of at least 3.24 billion USD from Apr 30, 2018 to Apr 30, 2022. Given the
blockchain's transparency and increasing incident frequency, two questions
arise: How can we systematically measure, evaluate, and compare DeFi incidents?
How can we learn from past attacks to strengthen DeFi security?
In this paper, we introduce a common reference frame to systematically
evaluate and compare DeFi incidents, including both attacks and accidents. We
investigate 77 academic papers, 30 audit reports, and 181 real-world incidents.
Our data reveals several gaps between academia and the practitioners'
community. For example, few academic papers address "price oracle attacks" and
"permissonless interactions", while our data suggests that they are the two
most frequent incident types (15% and 10.5% correspondingly). We also
investigate potential defenses, and find that: (i) 103 (56%) of the attacks are
not executed atomically, granting a rescue time frame for defenders; (ii) SoTA
bytecode similarity analysis can at least detect 31 vulnerable/23 adversarial
contracts; and (iii) 33 (15.3%) of the adversaries leak potentially
identifiable information by interacting with centralized exchanges
Towards Understanding and Characterizing the Arbitrage Bot Scam In the Wild
This paper presents the first comprehensive analysis of an emerging
cryptocurrency scam named "arbitrage bot" disseminated on online social
networks. The scam revolves around Decentralized Exchanges (DEX) arbitrage and
aims to lure victims into executing a so-called "bot contract" to steal funds
from them.
To collect the scam at a large scale, we developed a fully automated scam
detection system named CryptoScamHunter, which continuously collects YouTube
videos and automatically detects scams. Meanwhile, CryptoScamHunter can
download the source code of the bot contract from the provided links and
extract the associated scam cryptocurrency address. Through deploying
CryptoScamHunter from Jun. 2022 to Jun. 2023, we have detected 10,442 arbitrage
bot scam videos published from thousands of YouTube accounts. Our analysis
reveals that different strategies have been utilized in spreading the scam,
including crafting popular accounts, registering spam accounts, and using
obfuscation tricks to hide the real scam address in the bot contracts.
Moreover, from the scam videos we have collected over 800 malicious bot
contracts with source code and extracted 354 scam addresses. By further
expanding the scam addresses with a similar contract matching technique, we
have obtained a total of 1,697 scam addresses. Through tracing the transactions
of all scam addresses on the Ethereum mainnet and Binance Smart Chain, we
reveal that over 25,000 victims have fallen prey to this scam, resulting in a
financial loss of up to 15 million USD.
Overall, our work sheds light on the dissemination tactics and censorship
evasion strategies adopted in the arbitrage bot scam, as well as on the scale
and impact of such a scam on online social networks and blockchain platforms,
emphasizing the urgent need for effective detection and prevention mechanisms
against such fraudulent activity.Comment: Accepted by ACM SIGMETRICS 202
On formalising and analysing the tweetchain protocol
Distributed Ledger Technology is demonstrating its capability to provide flexible frameworks for information assurance capable of resisting to byzantine failures and multiple target attacks. The availability of development frameworks allows the definition of many applications using such a technology. On the contrary, the verification of such applications are far from being easy since testing is not enough to guarantee the absence of security problems. The paper describes an experience in the modelling and security analysis of one of these applications by means of formal methods: in particular, we consider the Tweetchain protocol as a case study and we use the Tamarin Prover tool, which supports the modelling of a protocol as a multiset rewriting system and its analysis with respect to temporal first-order properties. With the aim of making the modeling and verification process reproducible and independent of the specific protocol, we present a general structure of the Tamarin Prover model and of the properties to verified. Finally, we discuss the strengths and limitations of the Tamarin Prover approach considering three aspects: modelling, analysis and the verification process. Copyrigh
Account Abstraction, Analysed
Ethereum recently unveiled its upcoming roadmap's \textit{Splurge} phase,
highlighting the integration of
EIP-\hlhref{https://eips.ethereum.org/EIPS/eip-3074}{4337} as a foundational
standard for account abstraction (AA). AA aims to enhance user accessibility
and facilitate the expansion of functionalities. Anticipatedly, the deployment
of AA is poised to attract a broad spectrum of new users and ignite further
innovation in DApps. In this paper, we elucidate the underlying operating
mechanisms of this new concept, as well as provide a review of concurrent
advancements in accounts, wallets, and standards related to its development. We
step further by conducting a preliminary security evaluation to qualitatively
assess the extent of security enhancements achieved through AA updates
Empirical Review of Smart Contract and DeFi Security: Vulnerability Detection and Automated Repair
Decentralized Finance (DeFi) is emerging as a peer-to-peer financial
ecosystem, enabling participants to trade products on a permissionless
blockchain. Built on blockchain and smart contracts, the DeFi ecosystem has
experienced explosive growth in recent years. Unfortunately, smart contracts
hold a massive amount of value, making them an attractive target for attacks.
So far, attacks against smart contracts and DeFi protocols have resulted in
billions of dollars in financial losses, severely threatening the security of
the entire DeFi ecosystem. Researchers have proposed various security tools for
smart contracts and DeFi protocols as countermeasures. However, a comprehensive
investigation of these efforts is still lacking, leaving a crucial gap in our
understanding of how to enhance the security posture of the smart contract and
DeFi landscape.
To fill the gap, this paper reviews the progress made in the field of smart
contract and DeFi security from the perspective of both vulnerability detection
and automated repair. First, we analyze the DeFi smart contract security issues
and challenges. Specifically, we lucubrate various DeFi attack incidents and
summarize the attacks into six categories. Then, we present an empirical study
of 42 state-of-the-art techniques that can detect smart contract and DeFi
vulnerabilities. In particular, we evaluate the effectiveness of traditional
smart contract bug detection tools in analyzing complex DeFi protocols.
Additionally, we investigate 8 existing automated repair tools for smart
contracts and DeFi protocols, providing insight into their advantages and
disadvantages. To make this work useful for as wide of an audience as possible,
we also identify several open issues and challenges in the DeFi ecosystem that
should be addressed in the future.Comment: This paper is submitted to the journal of Expert Systems with
Applications (ESWA) for revie
Automated Invariant Generation for Solidity Smart Contracts
Smart contracts are computer programs running on blockchains to automate the
transaction execution between users. The absence of contract specifications
poses a real challenge to the correctness verification of smart contracts.
Program invariants are properties that are always preserved throughout the
execution, which characterize an important aspect of the program behaviors. In
this paper, we propose a novel invariant generation framework, INVCON+, for
Solidity smart contracts. INVCON+ extends the existing invariant detector,
InvCon, to automatically produce verified contract invariants based on both
dynamic inference and static verification. Unlike INVCON+, InvCon only produces
likely invariants, which have a high probability to hold, yet are still not
verified against the contract code. Particularly, INVCON+ is able to infer more
expressive invariants that capture richer semantic relations of contract code.
We evaluate INVCON+ on 361 ERC20 and 10 ERC721 real-world contracts, as well as
common ERC20 vulnerability benchmarks. The experimental results indicate that
INVCON+ efficiently produces high-quality invariant specifications, which can
be used to secure smart contracts from common vulnerabilities
Reap the Harvest on Blockchain: A Survey of Yield Farming Protocols
Yield farming represents an immensely popular asset management activity in
decentralized finance (DeFi). It involves supplying, borrowing, or staking
crypto assets to earn an income in forms of transaction fees, interest, or
participation rewards at different DeFi marketplaces. In this systematic
survey, we present yield farming protocols as an aggregation-layer constituent
of the wider DeFi ecosystem that interact with primitive-layer protocols such
as decentralized exchanges (DEXs) and protocols for loanable funds (PLFs). We
examine the yield farming mechanism by first studying the operations encoded in
the yield farming smart contracts, and then performing stylized, parameterized
simulations on various yield farming strategies. We conduct a thorough
literature review on related work, and establish a framework for yield farming
protocols that takes into account pool structure, accepted token types, and
implemented strategies. Using our framework, we characterize major yield
aggregators in the market including Yearn Finance, Beefy, and Badger DAO.
Moreover, we discuss anecdotal attacks against yield aggregators and generalize
a number of risks associated with yield farming.Comment: arXiv admin note: text overlap with arXiv:2105.1389
Decentralized Autonomous Organizations and Decentralized Finance, A Bibliometric and Content Analysis
Decentralized Autonomous Organizations (DAOs) present a new technological advancement that may pose a challenge to traditional organizations in terms of governance and decision-making. DAOs offer a novel approach to organization and collaboration by implementing a decentralized, immutable, and trustless system. These organizations run on blockchain technology through the use of smart contracts, enabling autonomous and self-executing operations.
Despite their potential, DAOs still face uncertainties regarding their security, governance, and scalability, among other challenges. To determine research gaps and aid in the successful development of DAOs, this paper conducts a bibliometric and content analysis, which is currently missing from existing literature, to provide structural support for this process.
This paper identifies the most significant research streams and influential articles on DAOs, providing a comprehensive overview of the current state of this field. Moreover, it investigates the performance of major Decentralized Finance (DeFi) DAOs in light of these research streams, offering insights into their practical applications and effectiveness.
To facilitate future research in this domain, the paper proposes several research questions for each identified research stream. These questions aim to address gaps in the current understanding of DAOs, paving the way for novel research that can contribute to the development and enhancement of this innovative technology
- …