Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 147 tok/s
Gemini 2.5 Pro 48 tok/s Pro
GPT-5 Medium 23 tok/s Pro
GPT-5 High 26 tok/s Pro
GPT-4o 59 tok/s Pro
Kimi K2 190 tok/s Pro
GPT OSS 120B 446 tok/s Pro
Claude Sonnet 4.5 36 tok/s Pro
2000 character limit reached

Safeguarding DeFi Smart Contracts against Oracle Deviations (2401.06044v1)

Published 11 Jan 2024 in cs.SE

Abstract: This paper presents OVer, a framework designed to automatically analyze the behavior of decentralized finance (DeFi) protocols when subjected to a "skewed" oracle input. OVer firstly performs symbolic analysis on the given contract and constructs a model of constraints. Then, the framework leverages an SMT solver to identify parameters that allow its secure operation. Furthermore, guard statements may be generated for smart contracts that may use the oracle values, thus effectively preventing oracle manipulation attacks. Empirical results show that OVer can successfully analyze all 10 benchmarks collected, which encompass a diverse range of DeFi protocols. Additionally, this paper also illustrates that current parameters utilized in the majority of benchmarks are inadequate to ensure safety when confronted with significant oracle deviations.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (51)
  1. 2020. Warp Contracts. https://github.com/warpfinance/Warp-Contracts/releases/tag/v2.0-production-contracts.
  2. 2021. Solo protocol. https://github.com/dydxprotocol/solo/releases/tag/v0.41.0.
  3. 2022. Beefy Vault Contract. https://explorer.kava.io/address/0xC3821F0b56FA4F4794d5d760f94B812DE261361B/contracts.
  4. 2023. Yearn Attack Disclosure. https://github.com/yearn/yearn-security/blob/master/disclosures/2021-02-04.md.
  5. Aave. 2023. Aave V2. https://github.com/aave/protocol-v2/tree/master.
  6. Astraea: A decentralized blockchain oracle. In 2018 IEEE international conference on internet of things (IThings) and IEEE green computing and communications (GreenCom) and IEEE cyber, physical and social computing (CPSCom) and IEEE smart data (SmartData). IEEE, 1145–1152.
  7. Ayana T Aspembitova and Michael A Bentley. 2022. Oracles in Decentralized Finance: Attack Costs, Profits and Mitigation Measures. Entropy 25, 1 (2022), 60.
  8. Formal analysis of lending pools in decentralized finance. In International Symposium on Leveraging Applications of Formal Methods. Springer, 335–355.
  9. WIP: Finding bugs automatically in smart contracts with parameterized invariants. Retrieved July 14 (2020), 2020.
  10. Vitalik Buterin. 2014. Ethereum: A next-generation smart contract and decentralized application platform. https://ethereum.org/en/whitepaper/.
  11. Truthful decentralized blockchain oracles. International Journal of Network Management 32, 2 (2022), e2179.
  12. calvwang9. 2022. Oracle Manipulation. https://github.com/calvwang9/oracle-manipulation.
  13. FlashSyn: Flash Loan Attack Synthesis via Counter Example Driven Approximation. arXiv preprint arXiv:2206.10708 (2022).
  14. Smartian: Enhancing smart contract fuzzing with static and dynamic data-flow analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 227–239.
  15. Compound Finance. 2020. Compound V2. https://github.com/compound-finance/compound-protocol/releases/tag/v2.8.1.
  16. Consensys. 2023. Mythril: a security analysis tool for EVM bytecode. https://github.com/Consensys/mythril.
  17. Towards Verified Price Oracles for Decentralized Exchange Protocols. In 3rd International Workshop on Formal Methods for Blockchains (FMBC 2021) (Open Access Series in Informatics (OASIcs), Vol. 95), Bruno Bernardo and Diego Marmsoler (Eds.). Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl, Germany, 1:1–1:14. https://doi.org/10.4230/OASIcs.FMBC.2021.1
  18. Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 337–340.
  19. DeFiLlama. 2023a. DeFiLlama - DeFi Dashboard. https://defillama.com/.
  20. DeFiLlama. 2023b. DeFiLlama - Oracles Dashboard. https://defillama.com/oracles.
  21. Artifact for OVer: Safeguarding DeFi Smart Contracts against Oracle Deviations. https://doi.org/10.5281/zenodo.10436720
  22. dforce Network. 2021. Lending Contracts. https://github.com/dforce-network/LendingContractsV2/tree/master/contracts.
  23. Etherscanners. 2020. xToken Victim Contract. https://etherscan.io/address/0x04bef870de607519c91d16a23434ad5745f62a63#code.
  24. Etherscanners. 2023. Yearn Attack. https://etherscan.io/tx/0xf6022012b73770e7e2177129e648980a82aab555f9ac88b8a9cda3ec44b30779.
  25. Euler. 2023. Euler Smart Contracts. https://github.com/euler-xyz/euler-contracts.
  26. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8–15.
  27. Chainlink Foundation. 2023a. Chainlink API. https://docs.chain.link/any-api/api-reference/.
  28. Ethereum Foundation. 2023b. The Solidity Contract-Oriented Programming Language. https://github.com/ethereum/solidity
  29. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. 259–269.
  30. Zeus: analyzing safety of smart contracts.. In Ndss. 1–12.
  31. Uniswap Labs. 2023. Uniswap Protocol. https://uniswap.org/.
  32. Towards automated verification of smart contract fairness. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 666–677.
  33. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 254–269.
  34. TWAP Oracle Attacks: Easier Done than Said?. In 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). 1–8. https://doi.org/10.1109/ICBC54727.2022.9805499
  35. Demystifying Loops in Smart Contracts (ASE ’20). Association for Computing Machinery, New York, NY, USA, 262–274. https://doi.org/10.1145/3324884.3416626
  36. Morpho. 2023. Morpho Aave. https://github.com/morpho-org/morpho-aave-v3/releases/tag/v1.0.0.
  37. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1186–1189.
  38. sfuzz: An efficient adaptive fuzzer for solidity smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. 778–788.
  39. Trail of Bits. 2023. Slither: Static Analyzer for Solidity. https://github.com/crytic/slither.
  40. Attacking the defi ecosystem with flash loans for fun and profit. In International conference on financial cryptography and data security. Springer, 3–32.
  41. ItyFuzz: Snapshot-Based Fuzzer for Smart Contract. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. 322–333.
  42. Tianyu Sun and Wensheng Yu. 2020. A formal verification framework for security issues of blockchain smart contracts. Electronics 9, 2 (2020), 255.
  43. Vyper Team. 2023. Vyper. https://vyper.readthedocs.io/en/stable/
  44. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the 1st international workshop on emerging trends in software engineering for blockchain. 9–16.
  45. Formal analysis of composable DeFi protocols. In Financial Cryptography and Data Security. FC 2021 International Workshops: CoDecFin, DeFi, VOTING, and WTSC, Virtual Event, March 5, 2021, Revised Selected Papers 25. Springer, 149–161.
  46. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. 67–82.
  47. Oracle-supported dynamic exploit generation for smart contracts. IEEE Transactions on Dependable and Secure Computing 19, 3 (2020), 1795–1809.
  48. ProMutator: Detecting vulnerable price oracles in DeFi by mutated transactions. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 380–385.
  49. DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications. arXiv:2104.15068 [cs.CR]
  50. Preventing Price Manipulation Attack by Front-Running. In International Conference on Artificial Intelligence and Security. Springer, 309–322.
  51. Park: Accelerating smart contract vulnerability detection via parallel-fork symbolic execution. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 740–751.
Citations (7)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

This paper has been mentioned in 4 tweets and received 0 likes.

Upgrade to Pro to view all of the tweets about this paper:

Start a free 7-day Pro trial