You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This browser does not support PDFs. Please download the PDF to view it: <a href="{{ site.baseurl }}/assets/pdf/Incident_Analysis_of_Decentralized_Finance.pdf">Download PDF</a>
Abstract — Decentralized Finance (DeFi) has emerged as a transformative force in the financial landscape, bringing about challenges in ensuring blockchain security. This paper systematically examines prominent DeFi incidents from June 2022 to May 2023. Our findings underscore the significance of continuous vigilance in DeFi operations.
25
+
26
+
## Introduction
27
+
28
+
Blockchain technology possesses many powerful features such as decentralization, persistence, anonymity, and auditability. These features enable the emergence of innovative applications such as decentralized finance (DeFi), decentralized autonomous organizations (DAO), decentralized identities (DID), and more.
29
+
30
+
The features of DeFi have attracted a substantial influx of capital. In April 2022, the total value locked in DeFi reached a peak of 200 billion USD. Despite experiencing a significant decline afterward, as of April 2023, the total value locked in DeFi still amounts to a substantial sum of 49 billion USD.
31
+
32
+
However, the high level of transparency and anonymity in DeFi also provides attackers with opportunities to exploit capital. In March 2023, Euler Finance, a decentralized lending protocol, suffered an attack that drained cryptocurrencies equivalent to 197 million USD. Notably, up to 6 auditing firms were partnering with Euler Finance, yet none of them identified vulnerabilities resulting in this incident. This indicates that the DeFi industry still faces security challenges.
33
+
34
+
Despite previous efforts to systematically classify DeFi incidents, as well as develop scanning tools to detect vulnerabilities, DeFi incidents continue to arise frequently. We systematically categorized DeFi incidents from June 2022 to May 2023 based on prior studies. Then, we selected several scanning tools to scan these vulnerable contracts and verify whether these existing scanning tools can effectively identify vulnerabilities before attacks occur.
35
+
14
36
## Analysis of Vulnerabilities
15
37
16
38
Despite many academic institutions and businesses conducting systematic analyses, there is currently no globally accepted standard for classifying blockchain vulnerabilities and attacks. This is because blockchain technology has been evolving rapidly, and new vulnerabilities and attack methods are constantly emerging, making it difficult to devise a complete and comprehensive classification standard.
17
39
18
40
After a thorough review of research papers, the 5-layer framework proposed by Zhou, Liyi, et al. "Sok: Decentralized finance (defi) attacks" 2023 IEEE Symposium on Security and Privacy presents the most comprehensive coverage of all vulnerabilities in blockchain, shown in the following table. We have opted to utilize this framework to categorize the vulnerabilities in DeFi, as it enables a more comprehensive and precise analysis.
@@ -82,6 +109,74 @@ The protocol layer is a collection of standardized DeFi protocols that define ba
82
109
83
110
The functionalities that do not belong to the first four layers are classified as the Auxiliary Service Layer, including website management, code/contract deployment, etc. These services typically do not directly participate in the operation of the blockchain system, but they provide necessary support and management to make the blockchain system more user-friendly. In general, vulnerabilities in the auxiliary service layer are usually caused by backdoors, phishing, or trust in malicious data sources.
84
111
85
-
## Analysis of Attacks and Incidents
112
+
## Analysis of Attacks
113
+
114
+
In this section, we introduce the attack events proposed by Li et al., "Security analysis of DeFi: Vulnerabilities, attacks and advances" 2022 IEEE International Conference on Blockchain. Then, we apply these classification systems to the investigated incidents in the next section to better understand the characteristics of these incidents.
115
+
116
+
### Utilization of Flash Loan
117
+
118
+
Flash loans typically refer to the process of borrowing and repaying funds within a single block, with various transactions intertwined through smart contracts. The borrower first obtains a loan amount by pledging a certain amount of cryptocurrency assets and then using rapid trading, repayment, and other operations to achieve borrowing and repayment of funds, thereby achieving arbitrage.
119
+
120
+
### Private Key Leakage
121
+
122
+
Attackers either steal or exploit the accidental leakage of private keys from the project team, enabling them to gain unauthorized access to deploy and manage the smart contracts. With these permissions, they have the ability to arbitrarily mint and transfer tokens.
123
+
124
+
### Reentry Attack
125
+
Attackers insert malicious code within the "fallback" or other external functions, exploiting the reentrancy vulnerability inherent in such functions. By repeatedly calling functions, the attackers can execute the malicious code multiple times, bypassing the contract's intended logic and control flow.
126
+
127
+
### Arithmetic Bug
128
+
Arithmetic bugs in DeFi applications arise from flaws in mathematical operations and calculations. These bugs can result in inaccurate balances, exchange rates, or reward calculations, leading to financial losses or overpayments.
129
+
130
+
## Analysis of Incidents
131
+
132
+
We opted to the 5-layer framework proposed by Zhou, Liyi, et al. "Sok: Decentralized finance (defi) attacks" 2023 IEEE Symposium on Security and Privacy, to categorize the vulnerabilities in DeFi, as it enables a comprehensive and precise analysis.
133
+
134
+
### Data Source
135
+
136
+
The investigation scope of this paper is limited to DeFi incidents that occurred from June 2022 to May 2023, involving direct or indirect losses of 1 million USD or more. The incident data sources primarily rely on (i) [Rekt](https://rekt.news/) News; (ii) [DeFiHackLabs](https://github.com/SunWeb3Sec/DeFiHackLabs/); (iii) [Slowmist](https://www.slowmist.com/), and official post-mortem reports. To the best of our knowledge, these data sources provide timely and comprehensive coverage of the reported incidents, ensuring that significant events with losses exceeding 1 million USD are not overlooked.
137
+
138
+
This paper focuses solely on DeFi incidents. Any incidents involving CeFis (e.g. FTX, Binance), DAOs, or NFTs will not be included in the scope of this paper.
139
+
140
+
### Incidents
141
+
142
+
The final result in Table II comprises 35 events, with a total loss exceeding 950 million USD. The table provides information about the loss amount, incident type, whether they underwent professional auditing, occurrence date, and a citation to detailed post-mortem.
<figcaptionstyle="text-align: center">TABLE II: INCIDENT LAYERS, TYPES, AND CAUSES</figcaption>
147
+
</figure>
148
+
149
+
Table II reveals that out of 35 incidents, 33 victims had professional audits in place; however, this did not prevent these attacks from occurring. This underscores the need for a more thorough examination of auditing practices and a reevaluation of the factors contributing to the vulnerabilities. Upon an in-depth investigation of 35 case studies, we identified that some incidents stem from the following human errors:
150
+
- Leave Audited Risks Unresolved: Quantstamp audit suggested Nomad Bridge validate the `_leaf` input of the `Replica.sol:prove`, with QSP-19 Proving With An Empty Leaf. But the Nomad team seemed to misunderstand the issue and leave it unresolved.
151
+
- Deploy New Code Without Audit: Gym Network releases new features without being extensively audited. Dexible only had their experienced engineers review new contracts.
152
+
- Partially Audit: Kokomo Finance's audit report only covered the token contract, rather than the protocol at large. Euler Finance introduced vulnerable code `EToken.sol:donateToReserve`; however, Omniscia only performed an audit of the Chainlink integration component.
153
+
- Use Unsafe Vanity Address: Wintermute used the Profanity tool to generate addresses with multiple leading zeros. The private keys were compromised by brute force.
154
+
- Rug Pull: A member of Hope Finance deployed a fake router and deceived the other three owners into approving a multi-signature wallet, thereby siphoning off the funds. Merlin DEX directly inserted a backdoor into the contract. Certik did indeed raise this trust issue in their audit report, but Certik marked it as resolved without the code being genuinely fixed.
155
+
156
+
The practical value of an audit becomes limited when a project is unable to effectively prevent human errors. This highlights the need for rigorous processes to prevent human errors and oversights. The next section will propose some prevention methods.
Table III presents the losses, occurrence frequencies, and average losses of individual layer attack events. It is noteworthy that neither NET Layer nor CON Layer was involved in the 35 incidents. This observation suggests a higher level of security in these layers, making it challenging for attackers to target them. The most common incident causes belong to SC Layer, accounting for 22 out of 35 cases (62\%).
<figcaptionstyle="text-align: center">Fig. 1. Occurrences of Incident Causes</figcaption>
167
+
</figure>
168
+
169
+
Figure 1 shows the frequency of incident causes. In SC Layer, Access Control Mistake is the most common incident cause. Most of the victims deployed flawed authentication logic when updating new contracts. In PRO Layer, Unsafe Dependency is the most common incident cause, which implies that DeFi projects should not blindly trust external data sources, such as oracles. In AUX Layer, Faulty Operation and Greedy Operation are common causes. Preventing the leakage of private keys and guarding against rug pulls are critical aspects of security in this context.
<figcaptionstyle="text-align: center">Fig. 2. Total Loss of Incident Causes</figcaption>
174
+
</figure>
175
+
176
+
Figure 2 shows that the losses incurred due to Coding Mistake in SC Layer significantly outweigh those caused by other factors. The losses in the AUX Layer are also substantial. The losses incurred by these vulnerabilities are exceptionally costly. Even a single occurrence of such a vulnerability event could result in the flourishing project's bankruptcy.
177
+
178
+
## Security Strategy and Conclusion
86
179
87
-
TBD...
180
+
- while the majority of DeFi projects undergo professional audits, certain key issues, such as human error and oracle manipulation, are not solved. The future development of DeFi security may involve the establishment of rigorous operational standards.
181
+
- Improving the collaboration model between DeFi developers and auditors has the potential to enhance the reliability of audits.
182
+
- SmartBugs incorporates 19 open-source static code analyzers. We selectively utilized four: Mythril, Manticore, Slither, and Solhint to analyze some victims. Unfortunately, none of these tools successfully detected the vulnerabilities causing the incidents. Hence, there is still substantial room for improvement in existing code analysis tools.
0 commit comments