nach oben

Empirical Software Engineering

Erschienen in:

01.03.2024

An empirical study of attack-related events in DeFi projects development

verfasst von: Dongming Xiang, Yuanchang Lin, Liming Nie, Yaowen Zheng, Zhengzi Xu, Zuohua Ding, Yang Liu

Erschienen in: Empirical Software Engineering | Ausgabe 2/2024

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Decentralized Finance (DeFi) offers users decentralized financial services that are associated with the security of their assets. If DeFi is attacked, it could lead to considerable losses. Unfortunately, there is a lack of research on how DeFi developers respond to attacks during the development process. This lack of knowledge makes it difficult to identify which attacks to protect against and to create a comprehensive attack response system. This paper presents an empirical study to understand the current state of developers’ response to attacks during the development process. In addition, we conduct an analytical framework to help developers take preventive measures against attacks. Our research has revealed that Overflow Attack-related events are the most frequent (63, 19.75% of all attack-related events), and high-value DeFi projects tend to have more feedback and active development activities. We have observed that most of the attack instances (61, 85.92%) do not have corresponding attack-related development events, which can lead to a lack of trust between project teams and users if it is unclear whether the team responds to attacks. Furthermore, we have noticed that after the resolution of the same attack-related event, some attacks may recur, even though they could have been prevented. Consequently, we suggest some future research directions and provide some advice for DeFi project developers.

Vorheriger Artikel Analyzing source code vulnerabilities in the D2A dataset with ML ensembles and C-BERT

Nächster Artikel LineFlowDP: A Deep Learning-Based Two-Phase Approach for Line-Level Defect Prediction

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

https://github.com/pendle-finance/pendle-core/issues/258

https://github.com/compound-finance/compound-protocol/issues/41

https://github.com/OlympusDAO/olympus-contracts/issues/110

https://github.com/saddle-finance/saddle-contract/issues/344

https://github.com/saddle-finance/saddle-contract/pull/345

ABertoG, MEA (2019) Aave protocol. https://github.com/aave/aave-protocol/

Ahmadjee S, Mera-G’omez C, Bahsoon R (2021) Assessing smart contracts security technical debts. 2021 IEEE/ACM International Conference on Technical Debt (TechDebt), pp 6–15

Alireza Kirill AEA (2019) Tornado.cash. https://github.com/tornadocash

Alzoubi YI, Al-Ahmad A, Kahtan H, Jaradat A (2022) Internet of things and blockchain integration: security, privacy, technical, and design challenges. Future Internet 14(7):216CrossRef

Barbereau T, Smethurst R, Papageorgiou O, Rieger A, Fridgen G (2022) Defi, not so decentralized: the measured distribution of voting rights

Berg JA, Fritsch R, Heimbach L, Wattenhofer R (2022) An empirical study of market inefficiencies in uniswap and sushiswap. arXiv:2203.07774

Carapella F, Dumas E, Gerszten J, Swem N, Wall L (2022) Decentralized finance (defi): transformative potential & associated risks

Carter N, Jeng L (2021) Defi protocol risks: the paradox of defi. Regtech, suptech and beyond: innovation and technology in financial services” riskbooks–forthcoming Q 3

Chen J, Xia X, Lo D, Grundy J, Luo X, Chen T (2019) Defining smart contract defects on ethereum. IEEE Trans Softw Eng 48:327–345CrossRef

DeFiLlama (2022) Defillama. https://defillama.com/

Ellis S, Juels A, Nazarov S (2017) Chainlink: a decentralized oracle network. Retrieved March 11, 2018

Ethereum (2023) Decentralized finance (defi). https://ethereum.org/en/defi/ (2023)

Gao J, Liu H, Liu C, Li Q, Guan Z, Chen Z (2019) Easyflow: keep ethereum away from overflow. In: 2019 IEEE/ACM 41st international conference on software engineering: companion proceedings (ICSE-Companion), IEEE, pp 23–26

Han J, Huang S, Zhong Z (2021) Trust in defi: an empirical study of the decentralized exchange. Available at SSRN 3896461

He D, Wu R, Li X, Chan S, Guizani M (2023) Detection of vulnerabilities of blockchain smart contracts. IEEE Internet of Things J

Hu L, Wong WE, Kuhn DR, Kacker RN, Li S (2022) Ct-iot: a combinatorial testing-based path selection framework for effective iot testing. Empir Softw Eng 27:1–38CrossRef

Hu X, Zhuang Y, Lin SW, Zhang F, Kan S, Cao Z (2021) A security type verifier for smart contracts. Comput Secur 108:102343CrossRef

Ivanov N, Li C, Yan Q, Sun Z, Cao Z, Luo X (2023) Security threat mitigation for smart contracts: a comprehensive survey. ACM Comput Surv

Jensen JR, von Wachter V, Ross O (2021) An introduction to decentralized finance (defi). Complex Syst Inf Model Q 26:46–54

jflatow hayesgm mea (2019) Compound finance. https://compound.finance/

Kaur G, Habibi Lashkari A, Sharafaldin I, Habibi Lashkari Z (2023) Smart contracts and defi security and threats. In: Understanding cybersecurity management in decentralized finance: challenges, strategies, and trends, Springer, pp 91–111

Keele S, et al. (2007) Guidelines for performing systematic literature reviews in software engineering

Khan MQ, Shahid A, Uddin MI, Roman M, Alharbi A, Alosaimi W, Almalki J, Alshahrani SM (2022) Impact analysis of keyword extraction using contextual word embedding. PeerJ Comput Sci 8:e967CrossRef

Krupa T, Ries M, Kotuliak I, Bencel R et al (2021) Security issues of smart contracts in ethereum platforms. In: 2021 28th Conference of Open Innovations Association (FRUCT), IEEE, pp 208–214

Li W, Bu J, Li X, Chen X (2022) Security analysis of defi: vulnerabilities, attacks and advances. arXiv:2205.09524

Li W, Bu J, Li X, Peng H, Niu Y, Chen X (2022) A survey of defi security: challenges and opportunities. arXiv:2206.11821

Lin Y (2023) DeFi development process. https://doi.org/10.57760/sciencedb.07518

Liu B, Szalachowski P, Zhou J (2021) A first look into defi oracles. In: 2021 IEEE international conference on decentralized applications and infrastructures (DAPPS), IEEE, pp 39–48

MaartenGr shengbo-ma mea (2020) Keybert. https://github.com/MaartenGr/keyBERT

Maouchi Y, Charfeddine L, El Montasser G (2022) Understanding digital bubbles amidst the covid-19 pandemic: evidence from defi and nfts. Finance Res Lett 47:102584

McKight PE, Najab J (2010) Kruskal-wallis test. The corsini encyclopedia of psychology pp 1–1

Meegan X, Koens T (2021) Lessons learned from decentralised finance (defi). ING. URL: https://new.ingwb.com/binaries/content/assets/insights/themes/distributed-ledger-technology/defi_white_paper_v2.0.pdf

Meister BK, Price HC (2022) Yields: the galapagos syndrome of cryptofinance. arXiv:2202.10265

MetaTrustLabs (2023) Metascore. https://alpha.metatrust.io/score

Metelski D, Sobieraj J (2022) Valuations of decentralised finance (defi) protocols: a panel data study investigating defi’s key performance indicators

Nath K (2022) Evolution of the internet from web 1.0 to metaverse: the good, the bad and the ugly

Oliva GA, Hassan AE, Jiang ZM (2020) an exploratory study of smart contracts in the ethereum blockchain platform. Empir Softw Eng 25:1864–1904CrossRef

Pal O, Alam B, Thakur V, Singh S (2021) Key management for blockchain technology. ICT Express 7(1):76–80CrossRef

PANews (2022) Edg finance attacked incident. https://www.panewslab.com/zh/articledetails/t3k6b3m6.html

PeckShield (2018) Peckshield. https://peckshield.com/

Qin K, Zhou L, Afonin Y, Lazzaretti L, Gervais A (2021) Cefi vs. defi–comparing centralized to decentralized finance. arXiv:2106.08157

Qin K, Zhou L, Gamito P, Jovanovic P, Gervais A (2021) An empirical study of defi liquidations: incentives, risks, and instabilities. In: Proceedings of the 21st ACM internet measurement conference, pp 336–350

QuillAudits (2022) Stader nearx attacked incident. https://medium.com/quillhash/decoding-a-830-000-exploit-quillaudits-c70d1ecfd562

Raikwar M, Gligoroski D (2022) Dos attacks on blockchain ecosystem. Euro-Par 2021: parallel processing workshops: Euro-Par 2021 international workshops, Lisbon, Portugal, August 30–31, 2021. Springer, Revised Selected Papers, pp 230–242

Said KS, Nie L, Ajibode AA, Zhou X (2020) Gui testing for mobile applications: objectives, approaches and challenges. In: Proceedings of the 12th Asia-Pacific Symposium on Internetware, pp 51–60

Samreen NF, Alalfi MH (2021) A survey of security vulnerabilities in ethereum smart contracts. arXiv:2105.06974

SCORECHAIN (2022) curve finance attacked incident. https://www.scorechain.com/blog/curve-finance-dns-hack

Sifra EM (2022) Security vulnerabilities and countermeasures of smart contracts: a survey. In: 2022 IEEE international conference on blockchain (Blockchain), IEEE, pp 512–515

SlowMist (2018) Slow mist. https://hacked.slowmist.io/ (2018)

Solidity (2023) Solidity considerations. https://docs.soliditylang.org/en/v0.8.20/security-considerations.html

Tolmach P, Li Y, Lin SW, Liu Y (2021) Formal analysis of composable defi protocols. In: International conference on financial cryptography and data security, Springer, pp 149–161

Torres CF, Schütte J, State R (2018) Osiris: hunting for integer bugs in ethereum smart contracts. In: Proceedings of the 34th annual computer security applications conference, pp 664–676

Treleaven P, Greenwood A, Pithadia H, Xu J (2022) Web 3.0 tokenization and decentralized finance (defi). Available at SSRN 4037471

Vivar AL, Orozco ALS, Villalba LJG (2021) A security framework for ethereum smart contracts. Comput Commun 172:119–129CrossRef

Wan Z, Xia X, Lo D, Chen J, Luo X, Yang X (2021) Smart contract security: a practitioners’ perspective. In: 2021 IEEE/ACM 43rd international conference on software engineering (ICSE), IEEE, pp 1410–1422

Wang D, Wu S, Lin Z, Wu L, Yuan X, Zhou Y, Wang H, Ren K (2020) Towards understanding flash loan and its applications in defi ecosystem. arXiv:2010.12252

Wang H, Wang Y, Cao Z, Li Z, Xiong G (2018) An overview of blockchain security analysis. China cyber security annual conference. Springer, Singapore, pp 55–72

Wang Y, Chen X, Huang Y, Zhu HN, Bian J, Zheng Z (2023) An empirical study on real bug fixes from solidity smart contract projects. J Syst Softw 111787

Wen Y, Lu F, Liu Y, Huang X (2021) Attacks and countermeasures on blockchains: a survey from layering perspective. Comput Netw 191:107978CrossRef

Werner SM, Perez D, Gudgeon L, Klages-Mundt A, Harz D, Knottenbelt WJ (2021) Sok: decentralized finance (defi). arXiv:2101.08778

Wu S, Wang D, He J, Zhou Y, Wu L, Yuan X, He Q, Ren K (2021) Defiranger: detecting price manipulation attacks on defi applications. arXiv:2104.15068

Wu T, Shen L, Peng X, Shen B, Li Z (2020) Group activity matching with blockchain backed credible commitment. In: Proceedings of the 12th Asia-pacific symposium on internetware, pp 81–90

Xu TA, Xu J (2022) A short survey on business models of decentralized finance (defi) protocols. arXiv:2202.07742

Yaga D, Mell P, Roby N, Scarfone K (2018). Blockchain technology overview. https://doi.org/10.6028/NIST.IR.8202CrossRef

Yuan Y, Wang FY et al (2016) Blockchain: the state of the art and future trends. Acta Autom Sin 42(4):481–494

Zhang H, Merino LH, Estrada-Galinanes V, Ford B (2022) Flash freezing flash boys: countering blockchain front-running. In: 2022 IEEE 42nd international conference on distributed computing systems workshops (ICDCSW), IEEE, pp 90–95

Zhao Y, Kang X, Li T, Chu CK, Wang H (2022) Towards trustworthy defi oracles: past, present and future. arXiv:2201.02358

Zheng Z, Xie S, Dai H, Chen X, Wang H (2018) Blockchain challenges and opportunities: a survey. Int J Web Grid Serv 14(4):352–375. https://doi.org/10.1504/IJWGS.2018.10016848CrossRef

Zhou L, Xiong X, Ernstberger J, Chaliasos S, Wang Z, Wang Y, Qin K, Wattenhofer R, Song D, Gervais A (2023) Sok: decentralized finance (defi) attacks. In: 2023 IEEE symposium on security and privacy (SP), IEEE, pp 2444–2461

Titel: An empirical study of attack-related events in DeFi projects development
verfasst von: Dongming Xiang
Yuanchang Lin
Liming Nie
Yaowen Zheng
Zhengzi Xu
Zuohua Ding
Yang Liu
Publikationsdatum: 01.03.2024
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 2/2024
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-024-10447-7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 2/2024

When less is more: on the value of “co-training” for semi-supervised software defect predictors

An empirical study on the usage of mocking frameworks in Apache software foundation

Investigating the readability of test code

A study of common bug fix patterns in Rust

Diversity in issue assignment: humans vs bots

Improving the quality of software issue report descriptions in Turkish: An industrial case study at Softtech

Premium Partner