- Why is DeFi interesting? It allows new financial services that are non-custodial, permissionless, openly auditable, and composable. While DeFi also faces many challenges and security issues, these properties can help to scale back trust assumptions and increase some aspects of efficiency in financial systems.
- Security in DeFi is separable into “technical security” and “economic security”.
- Technical security describes exploits that are atomic, and therefore instantaneous and risk-free, in nature. These typically abuse the technical implementations of protocols and transaction ordering/inclusion within blocks. It is best addressed with program analysis and formal specification of protocols.
- Economic security involves the manipulation of economic equilibria over time in a non-atomic, and therefore risky, manner for an attacker. It is sparsely studied yet growing in importance. Resolving economic security requires synthesizing insights and models from across computer science, economics, and finance.
The paper exhaustively delineates the DeFi security challenge into technical security and economic security, centering on the property of atomicity, and connects these categories back to the fundamental research work that is needed to make DeFi secure.
Atomicity: A transaction property dictating that the transaction either succeeds fully, resulting in a state update, or fails entirely, leaving state unaltered, such that no execution can result in an invalid state.
Composability: A property of smart contracts that are able to communicate with one-another, via message-calls, within the same execution context. Composability means that smart contracts can be snapped together like Lego bricks, with the possibility of building complex interconnected financial architectures.
Miner extractable value (MEV): Blockchain miners have the ability to control the sequence in which transactions are executed. A rational miner will order transactions in ways that earn them revenues and even insert their own transactions to extract further revenues. MEV is the value that miners can extract by selectively ordering, censoring, or inserting transactions within a block or across blocks.
Governance extractable value (GEV): Many DeFi protocols have governors who perform a governance function to update the protocol over time. GEV is the value that governors can extract from the system through this role, including potentially perverse incentives to deviate from the best interest of the protocol, for instance, by effecting changes that provide outside benefit to governors but may be harmful to overall system health. GEV includes short-termism and explicit governance attacks.
Sandwich attacks/transaction ordering attacks: A type of exploit in which an attacker orders contract calls in a way to set up a profit opportunity through manipulating the technical implementation and state of a system. It usually involves inserting, or “sandwiching”, contract calls before and after a targeted contract call, usually an asset swap. It can take the form of a single transaction attack, in which a smart contract system is usually being exploited, or a multiple transaction attack, in which new transactions are inserted before and after a user-generated transaction or swap. A typical example aims to manipulate the instantaneous price at which a targeted swap is executed.
Timelock: A smart contract mechanism that requires a non-zero amount of time to pass before an action can be completed, for instance, if an action can only be completed in a subsequent block. Timelocks are often applied in the context of governance updates, so that users have time to react to proposed changes.
Consider two important views on DeFi, that of an optimist and that of a pessimist. According to the optimist, DeFi extends the innovation of non-custodial transactions to complex financial operations, enabling a non-custodial, permissionless, openly auditable, and highly composable financial system. In contrast, the pessimist views DeFi as an unregulated ecosystem prone to hacks and that can be used to facilitate financial crime. While part of this debate is moral in nature, another part is analytical. For DeFi to fulfill the vision of the optimist, it must be secure, which is something that can in principle be evaluated with formal models.
The paper provides a concise introduction to DeFi with a focus on enabling newcomers to start evaluating the technical innovations of DeFi. This includes DeFi primitives, such as smart contracts, keepers, oracles, and governance, as well as a range of protocol types, including decentralized exchanges, protocols for loanable funds, stablecoins, portfolio management, derivatives, and privacy-preserving mixers.
The meat of the paper provides a new characterization of the security risks in DeFi, delineating between technical security and economic security. The delineation centers on atomicity: whether the attack is near-instantaneous and can costlessly fail, and is therefore risk-free, or has a non-instantaneous duration and where failure comes with a cost related to manipulating an economic equilibrium over time. They illustrate with many examples and exploit types and discuss the state of the art in modeling and addressing these security issues. They connect with the existing research literature and demonstrate where this literature has significant gaps, particularly around economic security.
The paper is a systematization of knowledge (SoK). It overviews the new and wide space of DeFi protocol design and synthesizes new takeaways about the fundamental security problems to be solved in DeFi, both technical and economic.
The researchers provide a conceptual overview of the different constructs within the DeFi ecosystem, summarized in the following figure. These start with basic distributed ledger properties, such as smart contracts and tokens, which enable DeFi primitives, like oracles, governance frameworks, and market mechanisms. DeFi protocols then assemble primitives to perform specific functions, such as asset exchange and loanable funds markets, among several others. DeFi composability then enables nested interconnections of different protocols, for instance, providing liquidity on an asset exchange that is simultaneously used as collateral in a loanable funds market.
Technical Security. The researchers classify a DeFi security risk as technical if an agent can atomically exploit the technical structure of the system, for the sequential and atomic execution of transactions. Technical exploits can be performed near-instantaneously and risk-free because the outcomes for the attacker are binary: either the attack is successful or the transaction reverts and the attack effectively doesn’t happen. In particular, the costs of attack failure are minimal gas fees.
Technical security typically coincides with (1) manipulating an on-chain system within a single transaction, which is atomic for anyone, and (2) manipulating ordering/inclusion of transactions within the same block, which is atomic for a miner generating that block. This includes concepts such as atomic MEV and GEV, sandwich attacks and other ordering attacks, and smart contract code vulnerabilities, such as reentrancy and logic bugs.
A particularly interesting inclusion is sandwich attacks here, which is usually described under the vague term “economic risk”. An intuitive way to think of technical security is from networking smart contract “vending machines” together and exploiting the joint structure of how they are programmed. This is essentially what a sandwich attack does. While the vending machines may be motivated for economic reasons, the sandwich attack exploits the particular way that they are implemented and networked. For this reason, the researchers suggest that sandwich attacks are best understood as technical in nature.
Economic Security. A DeFi security risk is classified as economic if an exploiting agent can manipulate the incentive structure of the protocol non-atomically to realize a profit. The researchers discuss how this leads to exploits with distinctly different properties from technical exploits. Economic security exploits inherently involve manipulating a market equilibrium over some time period. Since economic exploits are non-atomic, they come with upfront tangible costs, a probability of attack failure, and risk related to mis-estimating the market response to the attack. Thus an attacker bears significant risks in performing such exploits.
Economic security includes non-atomic GEV and MEV, including chain reorganization attacks, most cross-chain MEV, as well as market manipulation exploits. A key point is that, while a hypothetical poorly designed system could allow some of these exploits in an atomic fashion, the underlying problems are not solved by removing atomicity, for instance by introducing a timelock. The remaining issues are inherent economic problems about what the market equilibria are and how they can be manipulated over time. For instance, GEV exploits could be performed atomically, but the introduction of a governance timelock doesn’t solve GEV issues entirely. Another example is using an AMM spot price as an oracle, which is technically insecure, as opposed to using a time-weighted average AMM price, which moves the problem into economic security as the time-weighted average can be manipulated non-atomically through manipulating the AMM market over time.
In market manipulation attacks, an adversary manipulates the market price of an asset over a time period in order to realize a profit in a related market, for instance, a DeFi protocol that uses the manipulated market as a price oracle. The attacker bears an upfront tangible cost here of maintaining a market imbalance over time. The researchers illustrate the potential of such an attack in Compound. In Nov 2020, DAI traded at a temporary price of $1.30 over a course of 20 minutes on Coinbase, before returning to the $1 peg.
As a result, the Compound Open Price Feed, which in part uses prices signed by Coinbase, reported a DAI price of $1.23 to Compound for a short time period. This incident triggered liquidations in Compound worth $89m, costing liquidated Compound borrowers 28% on liquidated assets. While this incident was not clearly an exploit, the market structure could be exploited in this way, allowing an attacker to profit by performing the triggered liquidations. A related exploit later occurred in the Venus Protocol.
While DeFi may have potential to create a permissionless and noncustodial financial system, the view of the DeFi optimist, the open technical and economic security challenges remain strong. Solving these challenges in a robust and scalable way is a central challenge for researchers and DeFi practitioners.
The delineation of technical and economic security helps illuminate the fundamental challenges in DeFi. Technical security is a first bar: if a protocol is not technically secure, then it will break in the presence of rational agents. Economic security makes sense as a further bar. For instance, if a protocol’s funds can be exploited because it is not technically secure, then in an economic sense no rational agents should participate. On the other hand, economic security involves economic problems that cannot be fundamentally solved by technical means alone.
Economic security risks remain largely unexplored. Practically speaking, full understanding of economic security problems requires models of economic equilibria in these systems, and protocol incentive structures need to be designed with this understanding in mind. These models differ considerably from traditional security models and require synthesizing insights from across computer science, economics, and finance.
With high protocol composability, security risks become increasingly complex. A critical gap in DeFi research in formalizing models to quantify composability risks. This problem is elevated as a holistic view on the integrated protocols is necessary: failures might arise from both technical and economic risks.
Designers of DeFi protocols need to understand and address both technical and economic security challenges, both in the protocol they are designing and in how their protocol composes with other protocols.
Technical security now has a sizable literature to draw on and is best addressed through tools such as program analysis.
Literature on economic security is sparse, with limited work on economic attacks on stablecoins, governance incentives, and time-bandit attacks. Recent work on cross-chain MEV also mostly fits in this category.
The paper provides a basis for understanding security challenges in DeFi, both for practitioners and researchers. The paper covers how to address these issues to the extent that defensive measures exist today. Where mitigations are not yet developed, the paper discusses the next research steps that are needed as well as new mechanism proposals that may help solve underlying security issues.