Abstract
The growing adoption of decentralized finance poses new security risks, as designing increasingly complex financial models is error-prone. We have witnessed numerous DeFi projects hacked (for tens of millions of dollars) because of unsound liquidation conditions, asset pricing, or position management, etc. To address these issues, we present a systematic way of finding vulnerabilities in DeFi projects based on automatically extracting financial models from smart contracts and reasoning about them symbolically using either a model checker or an interactive theorem prover. Specifically, we (i) formalized the concept of soundness in the financial model of a DeFi project which captures an interesting class of exploits (flash-loan attacks), and (ii) built a domain-specific language to automatically extract models from smart contracts and search possible exploits or prove their soundness. To demonstrate the capability of our approach, we model variants of most DeFi projects with a TVL (total value locked) larger than 20M USD (totaling about 8B USD TVL) and check their soundness. The result showed that we can automatically find both previous exploits and potential new flaws in DeFi.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
see appendix A.
- 2.
the bZx attack on Feb.15th, 2020, shown in appendix A.
References
Daian, P., et al.: Flash boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges. arXiv preprint arXiv:1904.05234 (2019)
Georgiev, G.: Yam finance crashes over 90%, founder admits his failure (2020). https://cryptopotato.com/yam-finance-crashes-over-90-founder-admits-his-failure/
Hajdu, Á., Jovanović, D.: Solc-verify: a modular verifier for solidity smart contracts. arXiv preprint arXiv:1907.04262 (2019)
Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)
Permenev, A., Dimitrov, D., Tsankov, P., Drachsler-Cohen, D., Vechev, M.: Verx: Safety verification of smart contracts. Security and Privacy 2020 (2019)
Riley, D.: \$25m in cryptocurrency stolen in hack of lendf.me and uniswap (2020). https://siliconangle.com/2020/04/19/25m-cryptocurrency-stolen-hack-lendf-uniswap/
Seshia, S.A., Subramanyan, P.: Uclid 5: Integrating modeling, verification, synthesis and learning. In: 2018 16th ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE). pp. 1–10, October 2018. https://doi.org/10.1109/MEMCOD.2018.8556946
Sjöberg, V., Sang, Y., Weng, S.c., Shao, Z.: Deepsea: a language for certified system software. In: Proceedings of the ACM on Programming Languages 3(OOPSLA), pp. 1–27 (2019)
Team, A.: Aave developers doc (2020). https://docs.aave.com/developers/
Wang, Yuepeng, et al.: Formal verification of workflow policies for smart contracts in azure blockchain. In: Chakraborty, Supratik, Navas, Jorge A.. (eds.) VSTTE 2019. LNCS, vol. 12031, pp. 87–106. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41600-3_7
Williams, M.: Rising defi protocol balancer loses \$500,000 to hacker in pool exploit (updated) (2020). https://www.bitcoininsider.org/article/89413/rising-defi-protocol-balancer-loses-500000-hacker-pool-exploit-updated
Zhou, L., Qin, K., Cully, A., Livshits, B., Gervais, A.: On the just-in-time discovery of profit-generating transactions in defi protocols. arXiv preprint arXiv:2103.02228 (2021)
Acknowledgement
We would like to acknowledge the contribution of many colleagues on various related projects at CertiK, especially Ronghui Gu, Dan She, Jialiang Chang, Junhong Chen and Zhaozhong Ni.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Past Exploits on DeFi Projects
A Past Exploits on DeFi Projects
Rights and permissions
Copyright information
© 2021 International Financial Cryptography Association
About this paper
Cite this paper
Sun, X., Lin, S., Sjöberg, V., Jie, J. (2021). How to Exploit a DeFi Project. In: Bernhard, M., et al. Financial Cryptography and Data Security. FC 2021 International Workshops. FC 2021. Lecture Notes in Computer Science(), vol 12676. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-63958-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-662-63958-0_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-63957-3
Online ISBN: 978-3-662-63958-0
eBook Packages: Computer ScienceComputer Science (R0)