Angels or demons: Investigating and detecting decentralized financial traps on ethereum smart contracts

Author

Jiachi CHEN
Jiang HU
Xin XIA
David LO, Singapore Management UniversityFollow
John GRUNDY
Zhipeng GAO
Ting CHEN

Publication Type

Journal Article

Version

acceptedVersion

Publication Date

11-2024

Abstract

Decentralized Finance (DeFi) uses blockchain technologies to transform traditional financial activities into decentralized platforms that run without intermediaries and centralized institutions. Smart contracts are programs that run on the blockchain, and by utilizing smart contracts, developers can more easily develop DeFi applications. Some key features of smart contracts—self-executed and immutability—ensure the trustworthiness, transparency and efficiency of DeFi applications and have led to a fast-growing DeFi market. However, misbehaving developers can add traps or backdoor code snippets to a smart contract, which are hard for contract users to discover. We call these code snippets in a DeFi smart contract as “DeFi Contract Traps” (DCTs). In this paper, we identify five DeFi contract traps and introduce their behaviors, describe how attackers use them to make unfair profits and analyze their prevalence in the Ethereum platform. We propose a symbolic execution tool, DeFiDefender, to detect such traps and use a manually labeled small-scale dataset that consists of 700 smart contracts to evaluate it. Our results show that our tool is not only highly effective but also highly efficient.DeFiDefender only needs 0.48 s to analyze one DeFi smart contract and obtains a high average accuracy (98.17%), precision (99.74%)and recall (89.24%). Among the five DeFi contract traps introduced in this paper, four of them can be detected through contract bytecode without the need for source code. We also apply DeFiDefender to a large-scale dataset that consists of 20,679 real DeFi-related Ethereum smart contracts. We found that 52.13% of these DeFi smart contracts contain at least one contract trap. Although a smart contract that contains contract traps is not necessarily malicious, our finding suggests that DeFi-related contracts have many centralized issues in a zero-trust environment and in the absence of a trusted party.

Keywords

Decentralized financial, Ethereum, Financial traps, Smart contract analysis

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

Automated Software Engineering

Volume

31

Issue

2

First Page

1

Last Page

33

ISSN

0928-8910

Identifier

10.1007/s10515-024-00459-4

Publisher

Springer

Citation

CHEN, Jiachi; HU, Jiang; XIA, Xin; LO, David; GRUNDY, John; GAO, Zhipeng; and CHEN, Ting. Angels or demons: Investigating and detecting decentralized financial traps on ethereum smart contracts. (2024). Automated Software Engineering. 31, (2), 1-33.
Available at: https://ink.library.smu.edu.sg/sis_research/9349

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1007/s10515-024-00459-4