Paper 2022/1773

SoK: Decentralized Finance (DeFi) Attacks

Liyi Zhou, Imperial College London
Xihan Xiong, Imperial College London
Jens Ernstberger, Technical University of Munich
Stefanos Chaliasos, Imperial College London
Zhipeng Wang, Imperial College London
Ye Wang, University of Macau
Kaihua Qin, Imperial College London
Roger Wattenhofer, ETH Zurich
Dawn Song, University of California, Berkeley
Arthur Gervais, University College London
Abstract

Within just four years, the blockchain-based Decentralized Finance (DeFi) ecosystem has accumulated a peak total value locked (TVL) of more than 253 billion USD. This surge in DeFi’s popularity has, unfortunately, been accompanied by many impactful incidents. According to our data, users, liquidity providers, speculators, and protocol operators suffered a total loss of at least 3.24 billion USD from Apr 30, 2018 to Apr 30, 2022. Given the blockchain’s transparency and increasing incident frequency, two questions arise: How can we systematically measure, evaluate, and compare DeFi incidents? How can we learn from past attacks to strengthen DeFi security? In this paper, we introduce a common reference frame to systematically evaluate and compare DeFi incidents, including both attacks and accidents. We investigate 77 academic papers, 30 audit reports, and 181 real-world incidents. Our data reveals several gaps between academia and the practitioners’ community. For example, few academic papers address “price oracle attacks” and “permissonless interactions”, while our data suggests that they are the two most frequent incident types (15% and 10.5% correspondingly). We also investigate potential defenses, and find that: (i) 103 (56%) of the attacks are not executed atomically, granting a rescue time frame for defenders; (ii) SoTA bytecode similarity analysis can at least detect 31 vulnerable/23 adversarial contracts; and (iii) 33 (15.3%) of the adversaries leak potentially identifiable information by interacting with centralized exchanges.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Contact author(s)
liyi zhou @ imperial ac uk
History
2023-04-07: last of 2 revisions
2022-12-28: received
See all versions
Short URL
https://ia.cr/2022/1773
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/1773,
      author = {Liyi Zhou and Xihan Xiong and Jens Ernstberger and Stefanos Chaliasos and Zhipeng Wang and Ye Wang and Kaihua Qin and Roger Wattenhofer and Dawn Song and Arthur Gervais},
      title = {{SoK}: Decentralized Finance ({DeFi}) Attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1773},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1773}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.