Penetrating the Hostile: Detecting DeFi Protocol Exploits through Cross-Contract Analysis

TL;DR

DeFiTail is a deep learning framework that detects DeFi protocol exploits by analyzing cross-contract data flows and attack logic, significantly improving detection accuracy over existing methods.

Contribution

This paper introduces DeFiTail, the first deep learning-based framework for cross-contract analysis to detect DeFi exploits, capturing attacker-victim interaction logic.

Findings

Achieves 98.39% accuracy in access control detection.

Attains 97.43% accuracy in flash loan exploit detection.

Detects 86.67% of malicious contracts in CVE dataset.

Abstract

Decentralized finance (DeFi) protocols are crypto projects developed on the blockchain to manage digital assets. Attacks on DeFi have been frequent and have resulted in losses exceeding $80 billion. Current tools detect and locate possible vulnerabilities in contracts by analyzing the state changes that may occur during malicious events. However, this victim-only approaches seldom possess the capability to cover the attacker's interaction intention logic. Furthermore, only a minuscule percentage of DeFi protocols experience attacks in real-world scenarios, which poses a significant challenge for these detection tools to demonstrate practical effectiveness. In this paper, we propose DeFiTail, the first framework that utilizes deep learning technology for access control and flash loan exploit detection. Through feeding the cross-contract static data flow, DeFiTail automatically learns the attack logic in real-world malicious events that occur on DeFi protocols, capturing the threat patterns between attacker and victim contracts. Since the DeFi protocol events involve interactions with multi-account transactions, the execution path with external and internal transactions requires to be unified. Moreover, to mitigate the impact of mistakes in Control Flow Graph (CFG) connections, DeFiTail validates the data path by employing the symbolic execution stack. Furthermore, we feed the data paths through our model to achieve the inspection of DeFi protocols. Comparative experiment results indicate that DeFiTail achieves the highest accuracy, with 98.39% in access control and 97.43% in flash loan exploits. DeFiTail also demonstrates an enhanced capability to detect malicious contracts, identifying 86.67% accuracy from the CVE dataset.