1. INTRODUCTION

The popularity of blockchain 2.0 technology has resulted in a wide range of related services. Decentralized finance (DeFi) is an example of a financial service built on blockchains to provide transaction transparency. From January 2020 to April 2022, the total value locked in DeFi climbs from $600 million to around $200 billio.. However, there was a sharp drop in May 2022, which caused us to ponder the safety of DeFi. Attacks have emerged gradually with the rapid development of DeFi. Security incidents against DeFi continue to proliferate, and there has been a lot of research to improve the security of blockchain.

2. BACKGROUND

   • ETHEREUM: Ethereum is a public blockchain that uses the Turing-complete programming language, such as Solidity, to develop smart contracts. Anyone can deploy decentralized applications (dapps) on the Ethereum that can communicate with others, and the most popular financial field is DeFi, which provides a wide range of financial services.

   • GAS: To avoid overuse of network resources, all transactions on Ethereum are paid a cost, and the total gas cost equals the amounts of gas multiplied by gasPrice. The user who proposes transactions sets the gasPrice, and the transaction is conducted earlier if the gasPrice is high.

   • MINER - EXTRACTABLE VALUE (MEV): It refers to the profit miners make by performing a series of operations on the blocks they mine, such as transaction inclusion, exclusion, and reordering. Miners reorder transactions to optimize the initial ordering of transactions. Earning additional ordering optimization (OO) fees is also a source of MEV.

3. ANALYSIS OF VULNERABILITIES

   1. Data Security Vulnerabilities:

      Oracle Mechanism Vulnerabilities: The oracle is an automated service mechanism that allows the system to obtain off-chain asset data as input.

      Inappropriate Key Management: In the DeFi ecosystem, wallets are used to manage private keys, and authentication is based on private keys in most cases. However, even the safest hardware wallets have security issues [20] caused by the design.

   2. Consensus Mechanism Vulnerabilities:

      Transaction Order Vulnerability: It means that attackers alter the initial sequence of transactions by leveraging the desire of miners for profit. The sandwich attack is an example, the attacker spies on the victim, and pays a higher gas fee to miners before the victim gets asset A, then sells A for arbitrage since the victim’s purchase boosts the price.

      Forking Vulnerability: Forking in DeFi is generally associated with transaction fee-based forks and time-bandit attacks [18]. Mining revenue incentivizes miners to perform normally, but the OO fee motivates them to reorder transactions in the block, enhancing the income.

   3. Smart Contract Vulnerabilities:

      Suicidal and Greedy Contracts: Smart contracts usually include a provision enabling the owner to commit suicide if the contract is challenged. This suicide procedure can be carried out for any cause under the suicidal contract. Greedy contracts do not have functions related to extraction. The contract locks all ether and cannot withdraw.

      Block Info Dependency: In Ethereum, the discrepancy between successive blocks is valid when the timestamps are within 12 minutes. However, if the contract combines states in the block, the miner can control it for profit. Unchecked External Call: The return values and arguments of an external call can affect the states, and many contracts do not check the return value leads to errors. Multiple functions are nested, and the external call does not check the return value can go wrong. Smart contracts trade by using external call functions such as call() and send(). More crucially, a failed external call results in a transaction not being rolled back, which can cause logical effects.

   4. Application Layer Vulnerabilities:

      Lending Market Imperfection: When the prices in the market are out of balance, it will result in bad debts for one of the participants in the market. To get more loans, attackers can boost the exchange rate on the oracle by modifying the real-time price-related status before the loan is made. Cryptocurrency Instability: The large fluctuations of cryptocurrencies come from many reasons, one of which is the Pump-and-Dump. The instability can easily trigger liquidation procedures. Exchanges have chosen stablecoin, which is tied to the price of real money, as the pricing standard to minimize losses, but they still exist as a risk.

      Design imperfection: The attackers make use of incorrectly configured functionality or specific convenience features of DeFi platform exchanges . Flash loan is designed as riskfree loans to be a convenient improvement to the loan that need to borrow the flash loan, exchange it for currency and repay the loan in an atomic transaction.

      Abusive Exposure Transaction: Exchanges disclose all transactions as soon as feasible to ensure complete behavioral transparency because off-chain matching services are not automated. Unfortunately, exchanges can restrict access to select users and launch denial of service attacks to dominate the market, audit transactions and even front run the orders.

4. CONCLUSION AND FUTURE DIRECTION

   The focus of this paper is on the security of DeFi, and we summarize a series of security risks of DeFi by analyzing their projects deployed in Ethereum. For each vulnerability, we explore its causes with real-world cases. Finally, we investigate the optimization options for decentralized finance and suggest possible future directions.

   Comprehensive knowledge of security and risk problems is critical to improving blockchain and establishing powerful defense capabilities in practice. There is a strong possibility to combine static detection with dynamic supervision technologies to protect DeFi at the consensus mechanism, smart contract, and application levels for the future development of DeFi application security.

   References:

   • 2022 IEEE International Conference on Blockchain (Blockchain)