Research Summary - SoK Decentralized Finance (DeFi)

TLDR

• Why is DeFi interesting? It allows new financial services that are non-custodial, permissionless, openly auditable, and composable. While DeFi also faces many challenges and security issues, these properties can help to scale back trust assumptions and increase some aspects of efficiency in financial systems.
• Security in DeFi is separable into “technical security” and “economic security”.
• Technical security describes exploits that are atomic, and therefore instantaneous and risk-free, in nature. These typically abuse the technical implementations of protocols and transaction ordering/inclusion within blocks. It is best addressed with program analysis and formal specification of protocols.
• Economic security involves the manipulation of economic equilibria over time in a non-atomic, and therefore risky, manner for an attacker. It is sparsely studied yet growing in importance. Resolving economic security requires synthesizing insights and models from across computer science, economics, and finance.

Core Research Question

The paper exhaustively delineates the DeFi security challenge into technical security and economic security, centering on the property of atomicity, and connects these categories back to the fundamental research work that is needed to make DeFi secure.

Citation

Werner, S.M., Perez, D., Gudgeon, L., Klages-Mundt, A., Harz, D., Knottenbelt, W.J.: Sok: Decentralized Finance (DeFi). arXiv preprint arXiv:2101.08778 (2021).

Background

Atomicity: A transaction property dictating that the transaction either succeeds fully, resulting in a state update, or fails entirely, leaving state unaltered, such that no execution can result in an invalid state.

Composability: A property of smart contracts that are able to communicate with one-another, via message-calls, within the same execution context. Composability means that smart contracts can be snapped together like Lego bricks, with the possibility of building complex interconnected financial architectures.

Miner extractable value (MEV): Blockchain miners have the ability to control the sequence in which transactions are executed. A rational miner will order transactions in ways that earn them revenues and even insert their own transactions to extract further revenues. MEV is the value that miners can extract by selectively ordering, censoring, or inserting transactions within a block or across blocks.

Governance extractable value (GEV): Many DeFi protocols have governors who perform a governance function to update the protocol over time. GEV is the value that governors can extract from the system through this role, including potentially perverse incentives to deviate from the best interest of the protocol, for instance, by effecting changes that provide outside benefit to governors but may be harmful to overall system health. GEV includes short-termism and explicit governance attacks.

Sandwich attacks/transaction ordering attacks: A type of exploit in which an attacker orders contract calls in a way to set up a profit opportunity through manipulating the technical implementation and state of a system. It usually involves inserting, or “sandwiching”, contract calls before and after a targeted contract call, usually an asset swap. It can take the form of a single transaction attack, in which a smart contract system is usually being exploited, or a multiple transaction attack, in which new transactions are inserted before and after a user-generated transaction or swap. A typical example aims to manipulate the instantaneous price at which a targeted swap is executed.

Timelock: A smart contract mechanism that requires a non-zero amount of time to pass before an action can be completed, for instance, if an action can only be completed in a subsequent block. Timelocks are often applied in the context of governance updates, so that users have time to react to proposed changes.

Summary

Consider two important views on DeFi, that of an optimist and that of a pessimist. According to the optimist, DeFi extends the innovation of non-custodial transactions to complex financial operations, enabling a non-custodial, permissionless, openly auditable, and highly composable financial system. In contrast, the pessimist views DeFi as an unregulated ecosystem prone to hacks and that can be used to facilitate financial crime. While part of this debate is moral in nature, another part is analytical. For DeFi to fulfill the vision of the optimist, it must be secure, which is something that can in principle be evaluated with formal models.

The paper provides a concise introduction to DeFi with a focus on enabling newcomers to start evaluating the technical innovations of DeFi. This includes DeFi primitives, such as smart contracts, keepers, oracles, and governance, as well as a range of protocol types, including decentralized exchanges, protocols for loanable funds, stablecoins, portfolio management, derivatives, and privacy-preserving mixers.

The meat of the paper provides a new characterization of the security risks in DeFi, delineating between technical security and economic security. The delineation centers on atomicity: whether the attack is near-instantaneous and can costlessly fail, and is therefore risk-free, or has a non-instantaneous duration and where failure comes with a cost related to manipulating an economic equilibrium over time. They illustrate with many examples and exploit types and discuss the state of the art in modeling and addressing these security issues. They connect with the existing research literature and demonstrate where this literature has significant gaps, particularly around economic security.

Method

The paper is a systematization of knowledge (SoK). It overviews the new and wide space of DeFi protocol design and synthesizes new takeaways about the fundamental security problems to be solved in DeFi, both technical and economic.

Results

The researchers provide a conceptual overview of the different constructs within the DeFi ecosystem, summarized in the following figure. These start with basic distributed ledger properties, such as smart contracts and tokens, which enable DeFi primitives, like oracles, governance frameworks, and market mechanisms. DeFi protocols then assemble primitives to perform specific functions, such as asset exchange and loanable funds markets, among several others. DeFi composability then enables nested interconnections of different protocols, for instance, providing liquidity on an asset exchange that is simultaneously used as collateral in a loanable funds market.

658×562 19.9 KB

Technical Security. The researchers classify a DeFi security risk as technical if an agent can atomically exploit the technical structure of the system, for the sequential and atomic execution of transactions. Technical exploits can be performed near-instantaneously and risk-free because the outcomes for the attacker are binary: either the attack is successful or the transaction reverts and the attack effectively doesn’t happen. In particular, the costs of attack failure are minimal gas fees.

Technical security typically coincides with (1) manipulating an on-chain system within a single transaction, which is atomic for anyone, and (2) manipulating ordering/inclusion of transactions within the same block, which is atomic for a miner generating that block. This includes concepts such as atomic MEV and GEV, sandwich attacks and other ordering attacks, and smart contract code vulnerabilities, such as reentrancy and logic bugs.

A particularly interesting inclusion is sandwich attacks here, which is usually described under the vague term “economic risk”. An intuitive way to think of technical security is from networking smart contract “vending machines” together and exploiting the joint structure of how they are programmed. This is essentially what a sandwich attack does. While the vending machines may be motivated for economic reasons, the sandwich attack exploits the particular way that they are implemented and networked. For this reason, the researchers suggest that sandwich attacks are best understood as technical in nature.

Economic Security. A DeFi security risk is classified as economic if an exploiting agent can manipulate the incentive structure of the protocol non-atomically to realize a profit. The researchers discuss how this leads to exploits with distinctly different properties from technical exploits. Economic security exploits inherently involve manipulating a market equilibrium over some time period. Since economic exploits are non-atomic, they come with upfront tangible costs, a probability of attack failure, and risk related to mis-estimating the market response to the attack. Thus an attacker bears significant risks in performing such exploits.

Economic security includes non-atomic GEV and MEV, including chain reorganization attacks, most cross-chain MEV, as well as market manipulation exploits. A key point is that, while a hypothetical poorly designed system could allow some of these exploits in an atomic fashion, the underlying problems are not solved by removing atomicity, for instance by introducing a timelock. The remaining issues are inherent economic problems about what the market equilibria are and how they can be manipulated over time. For instance, GEV exploits could be performed atomically, but the introduction of a governance timelock doesn’t solve GEV issues entirely. Another example is using an AMM spot price as an oracle, which is technically insecure, as opposed to using a time-weighted average AMM price, which moves the problem into economic security as the time-weighted average can be manipulated non-atomically through manipulating the AMM market over time.

In market manipulation attacks, an adversary manipulates the market price of an asset over a time period in order to realize a profit in a related market, for instance, a DeFi protocol that uses the manipulated market as a price oracle. The attacker bears an upfront tangible cost here of maintaining a market imbalance over time. The researchers illustrate the potential of such an attack in Compound. In Nov 2020, DAI traded at a temporary price of $1.30 over a course of 20 minutes on Coinbase, before returning to the $1 peg.

As a result, the Compound Open Price Feed, which in part uses prices signed by Coinbase, reported a DAI price of $1.23 to Compound for a short time period. This incident triggered liquidations in Compound worth $89m, costing liquidated Compound borrowers 28% on liquidated assets. While this incident was not clearly an exploit, the market structure could be exploited in this way, allowing an attacker to profit by performing the triggered liquidations. A related exploit later occurred in the Venus Protocol.

Discussion and Key Takeaways

While DeFi may have potential to create a permissionless and noncustodial financial system, the view of the DeFi optimist, the open technical and economic security challenges remain strong. Solving these challenges in a robust and scalable way is a central challenge for researchers and DeFi practitioners.

The delineation of technical and economic security helps illuminate the fundamental challenges in DeFi. Technical security is a first bar: if a protocol is not technically secure, then it will break in the presence of rational agents. Economic security makes sense as a further bar. For instance, if a protocol’s funds can be exploited because it is not technically secure, then in an economic sense no rational agents should participate. On the other hand, economic security involves economic problems that cannot be fundamentally solved by technical means alone.

Economic security risks remain largely unexplored. Practically speaking, full understanding of economic security problems requires models of economic equilibria in these systems, and protocol incentive structures need to be designed with this understanding in mind. These models differ considerably from traditional security models and require synthesizing insights from across computer science, economics, and finance.

With high protocol composability, security risks become increasingly complex. A critical gap in DeFi research in formalizing models to quantify composability risks. This problem is elevated as a holistic view on the integrated protocols is necessary: failures might arise from both technical and economic risks.

Implications and Follow-ups

Designers of DeFi protocols need to understand and address both technical and economic security challenges, both in the protocol they are designing and in how their protocol composes with other protocols.

Technical security now has a sizable literature to draw on and is best addressed through tools such as program analysis.

Literature on economic security is sparse, with limited work on economic attacks on stablecoins, governance incentives, and time-bandit attacks. Recent work on cross-chain MEV also mostly fits in this category.

Applicability

The paper provides a basis for understanding security challenges in DeFi, both for practitioners and researchers. The paper covers how to address these issues to the extent that defensive measures exist today. Where mitigations are not yet developed, the paper discusses the next research steps that are needed as well as new mechanism proposals that may help solve underlying security issues.

Thank you very much for this post, as it gives some insight into how security needs to be addressed from different arenas instead of as a single catch-all approach. Do you have any of the researchers referencing the ACID framework?

The language seemed to be in that context, but I was unsure if they were framing it from the database management system paradigm or trying to assert that DeFi needs its own specific lexicon?

About the recent attack on BadgerDAO, was there any discussion of UI/UX by the researchers; in other words, was there any explicit acknowledgment of UI/UX problem within DeFi from which to establish a new security framing or lexicon?

I have some seemingly dumb questions here - but I think the same would be asked by newbie-ish ppl from time to time, so I’ll be the one asking.

Would such high dependence and composability risks trigger a blockchain equivalent subprime mortgage crisis?

You summarized the composability risks well: flash loans, malicious updates to DAO/protocol contracts, algorithmic stablecoin, protocols for loanable funds, wrapped coins and tokens, bridges between chains…

And yet we already have Black Thursday for MakerDAO - hell, we even have an insurance dapp 3F Mutual - Collective Insurance Against MakerDAO Risks - Defi Pulse Blog to hedge against such liquidation risks…

This is just from one dapp, and you already described market(oracle) manipulation well, that’s between (at least) two dapps.

I wonder, how would you personally think about this?
Would such a chain reaction/domino effect happen in the near future cause defi legos are too reliant on each other?

Apart from that, what can we do (apart from urging everyone to do their f***ing audit and don’t label your product as beta to prevent public backlash from future attacks), before thing’s too late? (that is, it’d be very appreciated if you can further clairfy section 6.1.)

Thank you for your hardwork, It filled in many knowledge gaps in my mid - I personally learned a lot from it, and I believe others will, too!

Thank you for the summary!

I have some problems with the difference between Technical Security Risk and Economic Security Risk. I saw you mentioned it’s the atomicity and also that a vulnerability that can be atomically exploited won’t be solved by removing the atomicity, therefore an economic attack in 1 transaction (e.g. the Cream yUSD Exploit) which is considered as a technical security risk can always be turned into an economic security risk. Then, we can use ways which are used to verify the economic security risk to verify this kind of risk. Why don’t we just put it into the category of economic risk?

I also came up with the attack on Fomo3D. For people who forgot or don’t know about this attack, the hacker submitted a transaction in sequential blocks that will fail by using all gas in a block when the hacker didn’t win in the block. (Details here) In this sense, maybe we can turn an economic security risk technical? (I don’t know if it’s impossible now.)

@aklamun Thank you so much for presenting this wonderful summary. It contains many interesting topics that are worthy to discuss.

Concerning the DeFi risks, BIS Quarterly Review, December 2021 - DeFi risks and the decentralisation illusion has a similar observation, particularly the risks that were inducted as Economic Security Risks in this paper. The report mentioned several vulnerability causes of DeFi, including high leverage, liquidity mismatches, built-in interconnectedness, and the lack of shock absorbers. What is most emphasized in this report is the “illusion of decentralization” of DeFi, which may be corresponding to GEV in the summary. It also implicitly indicates that this GEV would be one of an impediment for DeFi to be more adopted by the conventional financial system. The way it provides to resolve the risks is the governing by public authorities. Did the authors provide some approaches or discussions to reduce GEV risks? Which do you think is the most realizable except for being governed by public authorities?

In the study of financial institution management, one about traditional finance, risks are classified into interest rate risk, credit risk, market risk, liquidity risk…risks that do not typically result from unintended design or behavior, and some not manipulatable by individuals.

Do you think your framework should or can cover the risks that are widely discussed in traditional finance? If so, will your proposed framework remain useful as the DeFi space develops and matures? Or will these issues, especially technical security, continue to dominate as it is inherently related to the nature of DeFi?

For more context, there is one class, technology and other operational risks, that does stem from unintended behavior. But that refers to computer failure, human error, fraud, and catastrophes such as natural disasters, which do not belong to our scope of discussion.

I think the ACID framework would be most relevant in describing properties of transaction execution, which DeFi builds on top of.

We (I was one of the researchers) did not specifically discuss UI/UX in this work, though that is also a critical area. My first thought is that it is functionally a similar issue to non-blockchain UI/UX although the user has a lot more personal control.

Yes certainly, with a high composability comes a lot of potential risk. A specific example is Stableswap/Curve pools: if any asset in such a pool fails for any reason, then all LPs are effectively wiped out. And most things that build on top of these pools would be affected as well. In my opinion, we should be designing new protocols to be robust to these sort of events. I think the best way to do that is to carefully segregate the risks the protocol is taking on. While it is not always straightforward to quantify all of these risks (and correlations are not usually the right way of measuring them), I hope that the general discussion in the SoK helps identify some of the main types.

One useful distinction in technical vs economic security is in understanding the type of risk taken on by the attacker. To illustrate, it’s much easier to attempt an attack if you know that at most you lose the gas fee, but potentially you come away with millions of dollars in assets. On the other hand, if you have to commit millions of dollars in assets that you would lose if the attack fails (and there is some probability that it would fail), it’s a much different story.

For your example of using all the gas in the block, the attacker would need to outbid the entire market for block space over a time horizon, which has a fairly high cost. Note that there is still a cost if the attacker is a miner–either in opportunity cost or from the fact that they may not mine each of these blocks. So in the end, the attacker would have to put a fair amount of money at risk even if the attack ends up being unsuccessful.

That’s a good question. We wrote a further article on GEV that discusses some ideas to help resolve it. In particular, optimistic approval, which is an optional veto mechanism that could better align incentives between protocol users and governors, and conditional cashflows, which gives governors more skin in the game in case they make poor decisions. But these are not too widely explored yet.

We took a particular focus in this work on security risks in DeFi in this work as opposed to other financial risks. But you’re right that there are also many financial risks that should be considered.

In some ways, the security risks are somewhat relatable to the technology and other operational risks category. If a security risk is realized, it means a system has been somehow compromised, which is unintended behavior.

I think these sorts of security issues are core to DeFi and so are not going to go away. Although we should aim to improve best practices for mitigating them.

This was an interesting read and would be invaluable to anyone trying to find their way around DeFi.

So, I recently developed a keen interest for DeFi and when I searched the term here on the forum, this paper showed up.

Although a little old, it’s content is still up to date.

So what stood out for me?

• Atomicity
• Composability

Not like they are new concepts anyway. I saw them from another interesting point of view.

Let me quickly add my thoughts on one of the concepts.

Atomicity
To highlight the importance of this concept in DeFi, I will examine one application— flash loans.

A flash loan is one application of atomicity in DeFi. Flash loans generally follow a pattern:

• You borrow some humongous amount of fund from a protocol
• You accomplish a task like arbitraging using the borrowed fund
• You return the fund and pay a fee for the service.
• You pocket the profit from your effort.

All the above steps happen in an instant with the help of smart contracts.

If a smart contract finds out that certain conditions are not met on processing a flash-loan, it reverses the whole transaction back to the original point. Hence mitigating risk of asset loss. This reversal can only happen because smart contracts are designed to be atomic. It must achieve a series of tasks at a go or revert back if it can’t.

Let’s look at it from a different angle. Imagine that transactions within smart contracts are not atomic, that is, they can stop in the middle nowhere and cannot be reversed back automatically. This might be as a result of challenges like not having enough gas fees. These are therefore the possible repercussions:

• Protocols like Aave and Compound that offer flash loans could lose their fund as the borrower has no collateral.

• Smart contract transactions wouldn’t be totally self executing as there would always be unresolved transactions needing third party interference for resolutions.

• In a failed transaction, your fund could get lost in the middle of nowhere and might be irrecoverable.