Systematization of Knowledge (SoK): Decentralized Finance (DeFi) Attacks
Accepted by the 44th IEEE Symposium on Security and Privacy
Liyi Zhou, Xihan Xiong, Jens Ernstberger, Stefanos Chaliasos, Zhipeng Wang, Ye Wang, Kaihua Qin, Roger Wattenhofer, Dawn Song, Arthur Gervais
Other Papers Using This Dataset
Smart Contract and Defi Security: Insights From Tool Evaluations and Practitioner Surveys (Link)
Accepted by the 46th International Conference on Software Engineering (ICSE 2024)
Stefanos Chaliasos, Marcos Antonios Charalambous, Liyi Zhou, Rafaila Galanopoulou, Arthur Gervais, Dimitris Mitropoulos, Ben Livshits
Towards Automated Security Analysis of Smart Contracts based on Execution Property Graph (Link)
Kaihua Qin, Zhe Ye, Zhun Wang, Weilin Li, Liyi Zhou, Chao Zhang, Dawn Song, Arthur Gervais
Blockchain Large Language Models (Link)
Yu Gai*, Liyi Zhou*, Kaihua Qin, Dawn Song, Arthur Gervais
Do You Still Need a Manual Smart Contract Audit? (Link)
Isaac David, Liyi Zhou, Kaihua Qin, Dawn Song, Lorenzo Cavallaro, Arthur Gervais
Another Cat and Mouse Game
Analogous to traditional information security, DeFi incidents can be perceived as a cat-and-mouse game where defenders attempt to minimize the security risk surface and attackers seek to breach these defenses. In what follows, we extract key insights from our paper:
Understudied network+consensus layer incidents
Limited tools and studies target network & consensus incidents, suggesting undiscovered vulnerabilities.
Low coverage for protocol layer incidents
Security tools lack sufficient coverage for protocol layer vulnerabilities due to DeFi’s composability.
Repeated on-chain oracle manipulation
Ethereum & Binance Smart Chain face frequent oracle manipulations, emphasizing the need for better detection tools.
Permission-less interactions are dangerous
Uncontrolled interactions can broaden attack surfaces; a whitelist approach for example, might mitigate risks.
The identities of the attackers may be revealed
Many attackers source funds without mixers, potentially exposing their identities via auxiliary services.
Adversaries can be front-run during the rescue time frame
Some adversaries test their code on-chain, risking being detected and front-run by defenders.
Absence of intrusion detection tools
Few incidents trigger immediate alerts, signifying a need for robust real-time detection tools.
Adversarial and vulnerable contracts are detectable
State-of-the-art analysis can detect vulnerable contracts by comparing them with known incidents.
How To Cite This Dataset?
The original dataset can be cited using the reference provided below:
@inproceedings{zhou2023sok,
title={Sok: Decentralized finance (defi) attacks},
author={Zhou, Liyi and Xiong, Xihan and Ernstberger, Jens and Chaliasos, Stefanos and Wang, Zhipeng and Wang, Ye and Qin, Kaihua and Wattenhofer, Roger and Song, Dawn and Gervais, Arthur},
booktitle={2023 IEEE Symposium on Security and Privacy (SP)},
pages={2444--2461},
year={2023},
organization={IEEE}
}
The subsequent publications have helped us revise the original dataset:
@article{chaliasos2023smart,
title={Smart contract and defi security: Insights from tool evaluations and practitioner surveys},
author={Chaliasos, Stefanos and Charalambous, Marcos Antonios and Zhou, Liyi and Galanopoulou, Rafaila and Gervais, Arthur and Mitropoulos, Dimitris and Livshits, Ben},
journal={arXiv preprint arXiv:2304.02981},
year={2023}
}
@article{qin2023towards,
title={Towards Automated Security Analysis of Smart Contracts based on Execution Property Graph},
author={Qin, Kaihua and Ye, Zhe and Wang, Zhun and Li, Weilin and Zhou, Liyi and Zhang, Chao and Song, Dawn and Gervais, Arthur},
journal={arXiv preprint arXiv:2305.14046},
year={2023}
}