Paper 2022/1773
SoK: Decentralized Finance (DeFi) Attacks
Abstract
Within just four years, the blockchain-based Decentralized Finance (DeFi) ecosystem has accumulated a peak total value locked (TVL) of more than 253 billion USD. This surge in DeFi’s popularity has, unfortunately, been accompanied by many impactful incidents. According to our data, users, liquidity providers, speculators, and protocol operators suffered a total loss of at least 3.24 billion USD from Apr 30, 2018 to Apr 30, 2022. Given the blockchain’s transparency and increasing incident frequency, two questions arise: How can we systematically measure, evaluate, and compare DeFi incidents? How can we learn from past attacks to strengthen DeFi security? In this paper, we introduce a common reference frame to systematically evaluate and compare DeFi incidents, including both attacks and accidents. We investigate 77 academic papers, 30 audit reports, and 181 real-world incidents. Our data reveals several gaps between academia and the practitioners’ community. For example, few academic papers address “price oracle attacks” and “permissonless interactions”, while our data suggests that they are the two most frequent incident types (15% and 10.5% correspondingly). We also investigate potential defenses, and find that: (i) 103 (56%) of the attacks are not executed atomically, granting a rescue time frame for defenders; (ii) SoTA bytecode similarity analysis can at least detect 31 vulnerable/23 adversarial contracts; and (iii) 33 (15.3%) of the adversaries leak potentially identifiable information by interacting with centralized exchanges.
Metadata
- Available format(s)
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Contact author(s)
- liyi zhou @ imperial ac uk
- History
- 2023-04-07: last of 2 revisions
- 2022-12-28: received
- See all versions
- Short URL
- https://ia.cr/2022/1773
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1773, author = {Liyi Zhou and Xihan Xiong and Jens Ernstberger and Stefanos Chaliasos and Zhipeng Wang and Ye Wang and Kaihua Qin and Roger Wattenhofer and Dawn Song and Arthur Gervais}, title = {{SoK}: Decentralized Finance ({DeFi}) Attacks}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/1773}, year = {2022}, url = {https://eprint.iacr.org/2022/1773} }