Flash Crash for Cash: Cyber Threats in Decentralized Finance
This addresses security vulnerabilities for DeFi developers and users, but it is incremental as it builds on known issues like integer overflows and reentrancy attacks.
The paper tackles the problem of security threats in Decentralized Finance (DeFi) by providing the first overview of in-the-wild incidents, revealing that attackers exploit permissionless composability to weaponize business logic and credit across protocols, resulting in millions of USD lost.
Decentralized Finance (DeFi) took shape in 2020. An unprecedented amount of over 14 billion USD moved into DeFi projects offering trading, loans and insurance. But its growth has also drawn the attention of malicious actors. Many projects were exploited as quickly as they launched and millions of USD were lost. While many developers understand integer overflows and reentrancy attacks, security threats to the DeFi ecosystem are more complex and still poorly understood. In this paper we provide the first overview of in-the-wild DeFi security incidents. We observe that many of these exploits are market attacks, weaponizing weakly implemented business logic in one protocol with credit provided by another to inflate appropriations. Rather than misusing individual protocols, attackers increasingly use DeFi's strength of permissionless composability against itself. By providing the first holistic analysis of real-world security incidents within the nascent financial ecosystem DeFi is, we hope to inform threat modeling in decentralized cryptoeconomic initiatives in the years ahead.