Flash Crash for Cash: Cyber Threats in Decentralized Finance

TL;DR

This paper provides the first comprehensive analysis of real-world security incidents in DeFi, revealing that attackers exploit weak logic and composability to conduct market attacks, highlighting complex threats in decentralized finance.

Contribution

It offers the first holistic overview of DeFi security incidents, emphasizing attack patterns and the use of composability to exploit vulnerabilities.

Findings

Many exploits are market attacks using weak business logic.

Attackers leverage DeFi's composability to amplify exploits.

Security threats are more complex and less understood than traditional attacks.

Abstract

Decentralized Finance (DeFi) took shape in 2020. An unprecedented amount of over 14 billion USD moved into DeFi projects offering trading, loans and insurance. But its growth has also drawn the attention of malicious actors. Many projects were exploited as quickly as they launched and millions of USD were lost. While many developers understand integer overflows and reentrancy attacks, security threats to the DeFi ecosystem are more complex and still poorly understood. In this paper we provide the first overview of in-the-wild DeFi security incidents. We observe that many of these exploits are market attacks, weaponizing weakly implemented business logic in one protocol with credit provided by another to inflate appropriations. Rather than misusing individual protocols, attackers increasingly use DeFi's strength of permissionless composability against itself. By providing the first holistic analysis of real-world security incidents within the nascent financial ecosystem DeFi is, we hope to inform threat modeling in decentralized cryptoeconomic initiatives in the years ahead.