DLT Interoperability and More ⛓️#12 ⛓️ —SoK: Decentralized Finance (DeFi) Incidents

Rafael Belchior
3 min readOct 14, 2022


In this series, we analyze papers on blockchain and interoperability (and both).

This edition covers a paper on decentralized finance security.

Photo by Nick Chong on Unsplash

➡️ Title: SoK: Decentralized Finance (DeFi) Incidents
➡️ Authors: Liyi Zhou, Xihan Xiong, Jens Ernstberger, Stefanos Chaliasos, Zhipeng Wang, Ye Wang, Kaihua Qin, Roger Wattenhofer, Dawn Song, Arthur Gervais

➡️ Paper source: https://arxiv.org/abs/2208.07119

➡️ Contributions:

  • DeFi Reference Frame: a framework to reason about DeFi systems and threat models
  • Analysis of real-world incidents on Ethereum and the Binance smart chain over a time frame of four years, as well as academic papers and grey literature. Each study is classified according to a derived taxonomy.
  • The authors propose a series of defense mechanisms against attacks on DeFi.

💪 Strong points:

  • The breadth and depth of this work are truly amazing. This is a very good example of how to put together a systematic survey. Definitely has the potential to be a solid basis of knowledge for the DeFi security space.
  • There is a practical/investigation component to the theoretical framework, where the authors study real-world attacks and track them.
  • The systematization table on page 6 is an interesting reference. Note, for example, that audit reports focus on smart contract bugs and MEV. This indicates that the industry hasn’t been focused on the network and consensus layers.

😞 Limitations:

  • We found no strong limitations of the study besides the limitations the authors referred to.

🔥 Points of interest:

  • The authors define the system model (the layers where an attack or incident may occur): network, consensus, smart contract, DeFi, and auxiliary layers.
  • Threat model: attackers can exploit smart contract vulnerabilities; protocol layer vulnerabilities; and auxiliary layer vulnerabilities. The adversaries might have different levels of knowledge (public — such as block data; sequencer — such as accessing private pools of unpublished transactions; and insider — e.g., access to external market prices or other generally inaccessible information). Then the authors define what are the possible incident cause and type and map everything in Table III.
  • The authors then explore the incident frequency, emergency pause mechanisms, and incident defense. In the latter category, the authors explore rescue and incident time frames, bytecode similarity analysis, MEV (front running as a service), and money tracing.
  • Key insights from the paper: consensus and network layer incidents and understudied.
  • Most defense tools focus on smart contract security, as opposed to protocol layer security (although the latter has many attacks). This is perhaps due to the composability of smart contracts, making the development of tools to address this a hard task. Perhaps developing cross-chain models could help to analyze the security of cross-chain protocols (e.g., bridges, and composing bridges with DeFi protocols). Another related insight is that adversaries can be front-run, as there is a time gap between the deployment of an attack smart contract and its usage.
  • To reiterate the previous point, building a cross-chain model has practical implementations. According to the authors, “We anticipate that just-in-time detection of abnormal protocol states or malicious transactions will receive increased attention in future studies.”.
  • There is an absence of intrusion detection tools. This is particularly inconvenient, as adversarial smart contracts can be detected in a variety of forms.

🚀 How does it relate to our work at Técnico Lisboa, INESC-ID, and Blockdaemon? (views are my own and do not necessarily reflect the opinions of my employer)

  • This study inspires us to do systematic, quality work in synthesizing complex data into useful and actionable insights.

🚀 What are the implications for our work?

  • This study inspires our systematic study of cross-chain security.



Rafael Belchior

R&D Engineer at Blockdaemon. Opinions and articles are my own and do not necessarily reflect the view of my employer. https://rafaelapb.github.io