SoK: Decentralized Finance (DeFi)

Sam M. Werner∗ , Daniel Perez∗ , Lewis Gudgeon∗ ,

Ariah Klages-Mundt† , Dominik Harz∗‡ , William J. Knottenbelt∗
∗ Imperial College London, † Cornell University, ‡ Interlay

Abstract—Decentralized Finance (DeFi), a blockchain powered cooperate without requiring trusted third parties. For instance,
peer-to-peer financial system, is mushrooming. One year ago holding on-chain assets can be done without a custodian, and
the total value locked in DeFi systems was approximately 600m general scripting functionality (‘smart contracts’) can execute
USD, now, as of January 2021, it stands at around 25bn USD.
The frenetic evolution of the ecosystem makes it challenging for deterministically and verifiably on-chain. Among many uses,
newcomers to gain an understanding of its basic features. In this allows collateral to be escrowed on-chain without a custo-
arXiv:2101.08778v1 [cs.CR] 21 Jan 2021

this Systematization of Knowledge (SoK), we delineate the DeFi dian, which opens up a variety of non-custodial applications.
ecosystem along its principal axes. First, we provide an overview Second, the permissionless nature of DeFi allows anyone
of the DeFi primitives. Second, we classify DeFi protocols to interact with financial services without being able to be
according to the type of operation they provide. We then go
on to consider in detail the technical and economic security of censored or blocked access by a third party. Third, DeFi is
DeFi protocols, drawing particular attention to the issues that openly auditable, which means that anyone has the ability
emerge specifically in the DeFi setting. Finally, we outline the to audit the state of protocols–e.g., that they are fully collat-
open research challenges in the ecosystem. eralized/healthy. Fourth, financial services can be arbitrarily
Index Terms—Decentralized Finance, DeFi, Ethereum, Cryp- composed such that new financial products and services can
tocurrencies,
be created similar to how one is able to conceive new Lego
models based on a few basic building blocks. For example,
I. D E F I : F INANCE 2.0?
this allows seamless rehypothecation of collateral (and the
Consider two views on the promise of Decentralized Fi- composability risks therein) while following the protocol col-
nance (DeFi). For the DeFi Optimist, DeFi amounts to a lateralization rules.
breakthrough technological advance, offering a new financial DeFi has grown rapidly, going from around 600m USD in
architecture that is non-custodial, permissionless, openly au- total value locked (TVL) at the start of 2020 to over 25bn
ditable, (pseudo)anonymous, and with potentially new capital USD as of January 2021, with the most capitalized use cases
efficiencies. According to this view, DeFi generalizes the being collateralized lending, constituting c.48% of the TVL,
promise at the heart of the original Bitcoin whitepaper [1], and decentralized exchange (DEXs), constituting c.34% of
extending the innovation of non-custodial transactions to com- the TVL as of January 2021 [2]. In turn this rise led to the
plex financial operations. The contrasting view of the DeFi 24 hour volume on a decentralized cryptoasset exchange [3],
Pessimist is that the unregulated, hack-prone DeFi ecosystem overtaking that of a major centralized cryptoasset exchange [4]
serves to facilitate unfettered and novel forms of financial for the first time [5].
crime. For instance, the pseudo-anonymous nature of DeFi Yet, as with any nascent technology, the evolution of DeFi
permits cryptocurrency attackers, scammers, and money laun- is not without its risks. In the last year alone, DeFi has
derers to move, clean, and earn interest on capital. To a certain experienced more than 20 major protocol exploits, resulting in
extent, the debate between the DeFi Optimist and the DeFi a loss of funds amounting to over 130m USD [6]. An apparent
Pessimist turns on critical moral issues. We do not contribute willingness of market participants to take large financial risks
to this important debate in this paper. Rather, in this SoK, we coupled with the possibility of any actor writing unaudited
seek to synthesize and evaluate the technical innovations of and even malicious smart contracts—precisely due to the
DeFi, allowing newcomers to the field to discover the essential decentralized nature of such technologies—renders the risks
features and problems of the DeFi terrain. particularly acute. Moreover, due in part to the emergent
First, we must be clear about what DeFi is. DeFi, in its ideal complexity of smart contracts once composed together, there
form, exhibits four properties. First, non-custodial financial are even a number of instances (e.g., [7], [8], [9], [10], [11]) of
services allow participants to exert full control over their audited protocols being exploited, rendering the audit process
funds at any point in time. To illustrate, traditional finance an imperfect defence against exploits.
and fintech is based on a custodial model. For instance, your Moreover, at a technical level the blockchains underlying
bank holds custody of your funds, your stocks are held at DeFi are facing significant challenges. Blockchain transaction
a custodian bank, and collateral of contracts may be held in fees have risen considerably during periods of congestion, with
escrow accounts by a custodian. For better or worse, you have the fees for relatively simple smart contract operations running
to trust these custodians and they need to be compensated for into the hundreds of dollars. Rising transaction costs price
their custodial services. In contrast, blockchain mechanisms out small transactions, in turn restricting the set of transaction
provides a means for agents who do not trust each other to types for which the layer-one blockchain can be used.

1
 This Work: After outlining the primitives for DeFi in mapping of how much gas, an Ethereum-specific unit that
Sec. II, we make the following contributions: denominates computational cost, is consumed per instruction.
• Protocol Systematization: We systematize the existing The total amount of gas consumed by a transaction is then
DeFi protocols according to six types of operations paid for by the sender [19].
(Sec. III). In order for DeFi protocols to function on top of them, smart
• Technical Security: We define technical security in the contracts must possess certain properties. First, they need to be
context of DeFi as a risk-free earning potential and expressive enough to be able to encode protocol rules. Most
classify the set of technical attacks into three distinct applications require some support for conditional execution
categories. The technical security risks such as smart- and bounded iterations. Smart contracts also need to be able
contract vulnerabilities serve to undermine the soundness to communicate with one-another within the same execution
of the ecosystem, limiting the extent to which it can be context, typically a transaction. Finally, support for atomicity
entrusted with funds (Sec. IV). is required to ensure that no execution can result in an invalid
• Economic Security: We define economic security in the state, i.e., a transaction either succeeds fully (state update) or
context of DeFi as secure incentive alignment of agents fails entirely (state remains unaltered).
and organize the set of economic attack vectors into four When considered specifically in relation to DeFi, the most
distinct categories. The economic security risks emerge notable property of smart contracts is that they are able
as the incentive mechanisms encoded in the underlying to call each other via message calls. This makes possible
smart contracts make contact with reality (Sec. V). composability: smart contracts can be snapped together like
• Holistic Security: The distinction between technical and Lego bricks (“Money Legos” [20]), with the possibility of
economic security is not merely cosmetic but serves to building complex financial architectures. This is similar to
make clear that the development of the DeFi ecosystem as was envisaged in [21]. While promising, the side-effects
is akin to a ‘two-front’ war, and moreover one in which of smart contracts interactions and the space of all possible
the fronts can merge to great effect. We combine both interactions is likely vast. Such complexity in the context
views in proposing a set of seven main open research of financial applications brings with it a great burden to
challenges for DeFi going forward (Sec. VI). understand the emergent security properties of composed smart
contracts or else face significant financial risk. We discuss this
II. D E F I P RIMITIVES in more detail in Sections IV and V.
DeFi protocols require an underlying distributed ledger such
as a blockchain, which is a peer-to-peer distributed append- B. Tokens
only record of transactions. In this paper, we primarily treat A common use of smart contracts is to implement tokens,
the underlying distributed ledger layer solely as an input into which can be used to represent assets, ranging from Ether [22]
DeFi and refer the reader to existing work (notably [12], [13], and other cryptoassets [23] to synthetic assets or deriva-
[14], [15]) for a fuller exposition of the blockchain layer itself. tives [24], as well as provide some utility, such as the right to
In particular, we assume that the ledger has the basic security participate in an election. Tokens are implemented by contracts
properties of consistency, integrity and availability [16]. With- adhering to a standard token interface, allowing protocols to
out these security properties, DeFi protocols built on top of easily handle different tokens without having to know about
such a ledger would themselves become inherently insecure. their implementation in advance. In Ethereum, tokens are
In this section, we draw attention to and outline the essen- usually implemented via the standardized ERC-20 [25] and
tial features of the underlying blockchain layer which have ERC-721 [26] interfaces for fungible and non-fungible tokens,
particular relevance to the security of DeFi protocols. respectively [27], although other token standards exist [28],
[29], [30]. The commonly agreed definition is that fungible
A. Smart Contracts tokens are interchangeable [25] while non-fungible tokens are
The most important provision is that the underlying ledger distinct [26]. To give a simple example, fungible tokens can
offers the ability to use smart contracts. These are programs be used to represent a currency, such as the US dollar, where
that encode a set of rules for processing transactions which are any two US dollars are equivalent. On the other hand, non-
enforced by a blockchain’s consensus rules, thereby allowing fungible tokens can be used to represent tokenized pieces of
for economic interactions between mistrusting parties. Smart arts, where each piece of art is distinct from another.
contracts rely on blockchains that are transaction-based state
machines, whereby an agent can interact with smart contracts C. Transaction Execution
via transactions. Once a transaction is confirmed, the contract A feature of the underlying blockchain which we draw
code is run by all nodes in the network and the state is particular attention to is the provision of the ability for users
updated. The underlying cost to state updates comes in the to make transactions. When a blockchain network participant
form of transaction fees charged to the sender. For instance, the wishes to make a transaction, the details of the unconfirmed
Ethereum Virtual Machine (EVM) [17] on the Ethereum [18] transaction (e.g., transaction cost, sender, recipient, data input)
blockchain is a stack machine which uses a specific set of are at first broadcast to a network of peers, validated, and then
instructions for task execution. The EVM maintains a fixed stored in a waiting area (the mempool of a node). Consensus

2
participants of the underlying ledger known as miners then F. Governance
choose which transactions to include in a given block, based Governance refers to the process through which a system
in part on the transaction fee attached to each transaction. is able to effect change to the parameters which establish
Transactions in a block are executed sequentially in the order the terms on which interactions between participants within
in which the miner of the respective block included them. For the system take place [40]. Such changes can be performed
a detailed treatment of how this process works, we refer the either algorithmically or by agents. While there is existing
reader to [1], [17], [31]. work on governance in relation to blockchains more broadly
The ability of miners to choose which transactions are and (e.g. [42], [43], [44]), there is still a limited understanding of
are not included in a given block means that miners are able the properties of different mechanisms that can be used both
to control the sequence in which particular transactions are for blockchains and DeFi.
executed. In turn, this opens up the possibility that miners Presently, a common design pattern for governance schemes
can arbitrarily include, exclude and order transactions in a is for a DeFi protocol to be instantiated with a benevolent
way that is beneficial to them, resulting in miner extractable dictator who has control over governance parameters, with a
value (MEV) [32]. Order optimization fees can be captured by promise made by the protocol to eventually decentralize its
reordering and censoring transactions, while also inserting the governance process. Such decentralization of the governance
miner’s own transactions if profitable. The notion of MEV can process is most commonly pursued through the issuance of a
be further exacerbated by the possibility of bribing miners to governance token (e.g. [45], [46], [47], [48]), an ERC-20 token
undertake such transaction re-ordering [33], [34]. We consider which entitles token holders to participate in protocol gover-
these issues in detail in Section V-B. nance via voting on and possibly propose protocol updates.
We return to governance in Section V.
D. External Agents and State Updates
III. D E F I P ROTOCOLS
Protocols may rely on certain state updates in order to We now present DeFi protocols categorized by the type
preserve protocol security. In transaction-based systems, a state of operation they provide. The presented protocol types rely
can not update unless a transaction is triggered externally. on the previously examined DeFi primitives. A conceptual
However, as smart contracts are not able to create transactions overview of how DeFi primitives are used in combination
programmatically, protocols rely on external entities to trigger with market mechanisms to construct protocols is shown in
state updates. These entities, called keepers, are generally Figure 1.
incentivized through profit opportunities to automate certain
operations around on-chain protocols and thereby contribute
towards maintaining a decentralized system. For instance, if a
protocol requires collateral assets to be liquidated to cover a Distributed
borrow position if certain conditions are met, then the protocol Ledger

will incentivize keepers to initiate transactions to push these

actions.
Collateral
Smart Contracts Token(s)

E. Oracles
B
Liquid Markets
An oracle is a mechanism for importing off-chain data into A

the blockchain virtual machine so that it is readable by smart Market Mechanism Oracle Governance
Asset
Exchange
Loanable Funds
Markets

contracts. This includes, for instance, prices of off-chain assets, Arbitrage

such as ETH/USD, or off-chain information needed to verify

outcomes of prediction markets, and is relied upon by various Liquidations Stablecoins Portfolio
Management

DeFi protocols (e.g. [35], [36], [37], [38], [39]). Such data is
Protocol Protocol Protocol
not natively accessible on-chain.
Oracle mechanisms differ by design and risk, as discussed Derivatives Layer 2

in [40], [41]. A centralized oracle requires trust in the data

provider and bears the risk that the provider behaves dishon- Mixers
Composability
estly should the reward from supplying manipulated data be
more profitable than from behaving honestly. An alternative
Fig. 1: A conceptual overview of the different constructs
is offered by decentralized oracles. As the correctness of off-
within the DeFi ecosystem.
chain data is not verifiable on-chain, decentralized oracles tend
to rely on incentives for accurate and honest reporting of off-
chain data, however come with their own set of shortcomings. A. On-chain Asset Exchange
We provide a detailed overview of oracle manipulation risks Venues facilitating the exchange of digital assets are a
and on the shortcomings of on and off-chain oracles in crucial part of the wider digital asset ecosystem, with central-
Sections IV-B and V-D. ized cryptoasset exchanges appearing as early as 2010 [49].

3
However, centralized cryptoasset exchanges have been repeat- can be achieved algorithmically, however this involves trusting
edly prone to several major attacks (e.g., [50], [51], [52]) centralized off-chain matching engines [60], which are often
and the absence of public verifiability of trading activity prone to manipulation [32], [68], to fill orders at fair prices.
has resulted in reports of fake trading volume [53], [54], Different order book methods using batch settlement may
undermining centralized exchanges’ trustworthiness. A class help to resolve these matching issues algorithmically. For
of DeFi protocols that facilitates the non-custodial exchange instance, [61] settles the order book in a manner resembling
of on-chain digital assets exists in the form of decentralized a Dutch auction (with batches settling at gradually decreasing
exchanges (DEXs) [55], [56]. Apart from being non-custodial, prices until sell orders are filled). This has the downside of
i.e., the exchange not having ownership over a user’s funds at potentially long settlement delays. Alternatively, trades can
any point in time, a DEX settles all trades on-chain, thereby be matched algorithmically in periodic batches maintained
ensuring public verifiability for all transactions to network by decentralized keepers [62]. Here, the matching problem
participants. A further difference between DEXs and their is solved by competing keepers who submit their solutions
centralized counterpart is that only assets native to the under- on-chain, from which the protocol executes the best solution.
lying blockchain, such as ERC-20 tokens on Ethereum, can be If this keeper market is competitive, trades should be settled
traded. This is due to the atomicity of transactions on which at fair prices, though issues can arise when the keeper market
DEXs rely to ensure the correctness of their execution [57] is not competitive [69] or if the method for choosing the best
and therefore direct interaction with external assets such as keeper solution can be gamed [70].
Bitcoin [1] or fiat currency is unfeasible. 2) Automated Market Makers: In traditional finance, mar-
Some solutions to work around this limitation do exist ket makers are liquidity providers that both quote a bid
but have drawbacks limiting their adoption. Wrapped tokens and ask price, selling from their own book, while making
such as wBTC [23] (wrapped Bitcoin) can be used to trade a profit from the bid-ask spread. Optimal market making
assets which are not directly on Ethereum, but given their strategies quickly become sophisticated optimization prob-
often custodian nature, this approach shares similar security lems. In contrast, AMMs provide liquidity algorithmically
concerns as centralized exchanges. Cross-chain solutions have through simple pricing rules with on-chain liquidity pools
also been designed [58], [15] but at the time of writing, have in place of order books. AMMs have been studied in al-
not yet seen wide adoption in DEXs. For instance, atomic gorithmic game theory, e.g., logarithmic market scoring rule
swaps have require inherently high latency, over which a free (LMSR) [71] in prediction markets. While they have largely
option is granted to one party, governed systems like [59] remained unimplemented in traditional finance, they have
essentially require the user to trust the incentive alignment of become popular in DeFi for a several reasons: (1) they allow
governance, and methods like [58] require relays, which can easy provision of liquidity on minor assets, (2) they allow
be expensive to maintain and require the required intermediary anyone to become a market maker, even if the market making
to overcollateralize the wrapped asset. returns are suboptimal, (3) AMM pools can be separately
Based on the mechanism for price discovery, DEXs come useful as automatically rebalancing portfolios.
in different variants, such as order book DEXs (including In a AMM liquidity pool, reserves for two or more assets
individual [60], [57] and batch settlement [61], [62]) and are locked into a smart contract, where for a given pool, each
automated market makers (AMMs) (e.g., [63], [64], [65]). liquidity provider receives newly minted liquidity tokens to
1) Order Book DEXs: In centralized financial exchanges, represent the share of liquidity they’ve provided. A trade is
an order book is an electronic list of buy and sell orders for a consequently performed by trading against a smart contract’s
particular financial instrument, where a trade is executed when liquidity reserve for an asset, whereby liquidity is added to
orders are matched. Maintaining the state of an order book the reserves of one token and withdrawn from the reserves of
is a computationally expensive task and given the design of one or more other tokens in the pool. A trading fee is retained
blockchains (e.g., the Ethereum virtual machine and its gas by a liquidity pool and paid out proportionally to the amount
price mechanism [66], [67]) it is not practically feasible to of liquidity provided by each liquidity token holder. Liquidity
host this on-chain. Hence, a decentralized order book exchange providers are required to give up their liquidity tokens in order
may employ off-chain order books and thus involve some level to redeem their share of liquidity and accrued fees.
of centralization, where only trade settlement is executed on- With an AMM, the price of an asset is deterministic and
chain. A user wanting to execute an order will typically pre- decided by a formula, not an order book, and thus depends
sign a transaction allowing the DEX to execute the trade only on the relative sizes of the provided liquidity on each side
if it fulfills the conditions specified by the user. of a currency pair. If the liquidity is thin, a single trade
Orders are matched either manually or algorithmically, can cause a significant fluctuation in asset prices relative to
where in the case of the former, takers are required to fill the overall market, and arbitrageurs can profit by closing the
resting orders created by makers. While manual order match- spread. Arbitrage refers to the process of buying or selling the
ing offers trustless trading between takers and makers as any same asset in different markets to profit from differences in
centralized intermediary is circumvented, it comes at the cost price. Parties who undertake this process are arbitrageurs, and
of increased latency and potentially fragmented liquidity due often play a critical role in DeFi protocols. Thereby, arbitrage
to inefficient price discovery. More efficient order matching is used to ensure that the price for an asset on an AMM is

4
at parity with the price on the open market. Note that as the transaction, requiring the borrower to repay the full borrowed
reserve ratios for a pool’s assets change as liquidity is added amount plus interest by the end of the transaction. Flash loans
and withdrawn, a liquidity provider may receive a different leverage a blockchain’s atomicity (i.e., the transaction fails
token ratio upon withdrawing his liquidity share compared to if the loan is not repaid in the same transaction) and offer
the ratio he initially deposited. For a more focused analysis of several use cases, such as decentralized exchange arbitrage
AMM design and the underlying market making mechanism, and collateral swaps. However, they can also be used in
we direct the reader to [72], [73], [74], [75]. attacks [79].
The cost of borrowing in a PLF is given by an interest rate
B. Loanable Funds Markets for On-chain Assets charged to the borrower, which is determined by a market’s
Lending and borrowing of on-chain assets is facilitated underlying interest rate model. These interest rate models tend
through protocols for loanable funds (PLFs) [76], [77], which to reflect the notion that as liquidity becomes scarcer, a higher
refer to DeFi lending protocols that establish distributed interest rate should encourage current borrowers to repay their
ledger-based markets for loanable funds of cryptoassets. In debts, while incentivizing holders of excess deposits to supply
the context of a PLF, a market refers to the total supplied these.
and total borrowed amounts of a token, where the available In exchange for depositing funds, a depositor receives a
(i.e., non-borrowed) deposits make up a market’s liquidity. derivative token reflecting his share of the total supplied funds
Unlike peer-to-peer lending, where funds are directly lent in a market. As interest paid by borrowers is generally retained
between individual agents, in a PLF, deposits for a given token by the smart contract, the relative share of total funds in a
market are pooled together in a smart contract. An agent may market of a derivative token holder will increase over time.
directly borrow against the smart contract reserves, assuming Accrued interest in a market is thereby paid out to the market’s
the market for the token is sufficiently liquid. depositors as compensation for providing liquidity, while a
Given the pseud-anonymous nature of blockchains, borrow- reserve fraction is retained from the paid out interest by the
ers are required to overcollateralize their borrow position, in protocol in order to protect against periods of illiquidity [80]
order to protect PLFs from sustaining financial losses as a and market stress.
result of borrowers defaulting on their debt. Collateralization is
the process in which something of value is provided as security C. Stablecoins
to cover the value of a debt. For example, when obtaining a
mortgage for a house, the house is the collateral: if the bor- Non-custodial stablecoins are cryptoassets which aim to be
rower defaults on their repayment obligations, the house can price stable relative to a target currency, commonly the USD,
be sold to pay off the mortgage. In general, collateralization and seek to achieve this via additional economic mechanisms.
makes it possible for agents to borrow assets without the lender As of the time of writing, there are about a dozen non-
incurring credit risk, i.e., suffering financial losses as a result custodial stablecoins, of which perhaps the most notable is
from a borrower defaulting on a debt obligation. By posting MakerDAO’s Dai [37], which has close to 4.38bn USD in
collateral of x in USD, in principle an agent can borrow up market capitalization as of January 20211 . Note that custodial
to 100% of this collateral value in another asset. If the agent stablecoins, such as USDT [81] are not within the scope of
does not repay the debt, the collateral can be liquidated to pay DeFi, since these principally rely on a trusted third-party to
it off. In this way, collateralization simultaneously ensures that operate, though they may be among the assets used in other
the lender (likely a smart contract) can recover their loaned DeFi protocols.
value and provides the borrower with an incentive to repay the In the decentralized setting, the challenge for the protocol
loan. Due to the historical volatility and illiquidity of many designer is to construct a stablecoin which achieves price
cryptoassets, it should be noted that overcollateralization is stability in an economically secure and stable way and wherein
often relied upon, where for, e.g. 100 USD of borrowed value, all required parties can profitably continue to participate [40].
more than 100 USD must be provided as backing collateral. Price-stability is pursued via the use of on-chain collateral,
The idea is to ensure that even if the value of the collateral providing a foundation of secured loans from which the
relative to the debt falls considerably, there would still be stablecoin derives its economic value.
sufficient collateral to cover the debt. In PLFs, a borrower has The core components of a non-custodial stablecoin are as
to ensure that the value of the locked collateral remains above follows [40].
some liquidation threshold, as otherwise so-called liquidators, • Collateral. This is the store of primary value for a
a type of keeper, are able to purchase the locked collateral stablecoin. Collateral can be exogenous (e.g., ETH in
at a discount and close the borrower’s debt position. In a Maker [46], where the collateral is primarily used ex-
liquidation scenario, the liquidated borrower would receive ternally to the stablecoin, endogenous (e.g., SNX in
the collateral minus any outstanding debt and incurred penalty Synthetix [24], where the collateral was created to be
charges [78]. collateral or implicit (e.g., Nubits [82], where the design
PLFs may offer functionality beyond overcollateralized bor- lacks an explicit store of collateral.
rowing capabilities in the form of so-called flash loans. These
provide access to uncollateralized loans for the duration of one 1 Source: https://defipulse.com/. Accessed: 20-01-2021.

5
 • Agents. Agents form at least two roles in a non-custodial another mechanism for constructing synthetic assets is
stablecoin: (i) risk absorption, for instance by providing to use AMMs that enact dynamic portfolio rebalancing
collateral that is intended to absorb price risk, and (ii) strategies to replicate derivative payoffs. These bear a
stablecoin users. resemblance to synthetic portfolio insurance (see Ch. 13
• Governance. A mechanism and set of parameters that in [86]) in traditional finance and have been explored
governs the protocol as a whole (either performed by more specifically using constant product market makers
agents or algorithmically). in [87], [88].
• Issuance. A mechanism to control the issuance of stable- • Futures. These facilitate the buying or selling of an
coins against or using the collateral (either performed by underlying asset at an agreed price and time in the future.
agents or algorithmically). Futures have seen little adoption in DeFi yet. Likely
• Oracles. A mechanism to import data external to the this is caused by the high volatility of the underlying
blockchain onto the blockchain, such as price-feeds. cryptoassets making it hard to determine the risk taken
See [40] for a more complete discussion of stablecoin designs, by traders writing the futures.
models, and challenges. • Perpetual Swaps. These are similar to futures, however,
they have no set expiry date or settlement and were
D. Portfolio Management specifically created and popularized for cryptoasset mar-
For liquidity providers seeking to maximize their returns, kets [89]. These are much more popular as they allow
it can be an onerous task given the complex and expansive traders to decide (typically on a daily basis, e.g., [90]) to
space of yield-generating options. The management of on- keep the position by providing a funding transaction in
chain assets can thus be automated through DeFi protocols case their position is underfunded. Due to the frequent
which serve as decentralized investment funds, where tokens price discovery, the price of perpetuals trades typically
are deposited into a smart contract and an investment strategy closer to the underlying in comparison to futures. More-
that entails transacting with other DeFi protocols (e.g., PLFs) over, perpetuals are more capital efficient than trading the
is encoded in the contract. Yield in DeFi is generated through underlying itself since platforms require less than 100%
interest (including accrued fees earned) and token rewards. collateral be posted by traders.
For the latter, a protocol (e.g., PLF or AMM) distributes • Options. These allow the buyer to have a the choice to
native tokens to its liquidity providers and/or users as rewards exercise the contract while it leaves the seller with the
for the provision of deposits and/or protocol adoption. These obligation to fulfill the contract. For example, a seller
protocol-native token rewards are similar to equity in the can offer to buy Bitcoin at a price of $18, 000 two
sense that they serve as a right to participate in the protocol’s weeks in the future. The buyer of this option contract
governance, as well as often represent a claim on protocol- can then choose to exercise the option after two weeks
generated earnings. The distribution model for token rewards have passed. If Bitcoin trades at a price of $17, 000,
in exchange for supplied liquidity may vary across protocols, the buyer would have a potential earning of $1, 000
yet is commonly proportional to how much liquidity an minus fees. This is an example for a European-style put
agent has supplied on a protocol. Therefore, smart contract- option. There are many different option types and trading
encoded investment strategies of on-chain assets are tailored strategies [86]. Currently, the DeFi market for options is
around yield generating mechanisms of different protocols very early with basic call and put options (e.g., [91], [92])
with the sole aim of yield aggregation and maximization. but not leveraged positions on options, which present
In practice, on-chain management of assets may range from greater capital efficiency issues.
automatic rebalancing of a token portfolio [83] to complex
yield aggregating strategies [84]. In DeFi derivative design, there are a few particular points
and issues to discuss further:
E. Derivatives
a) Leverage: In DeFi, protocols are typically overcollat-
Derivatives are financial contracts which derive their value eralized to reduce the likelihood of defaulting on loans (e.g.,
from the performance of underlying assets. As of November in stablecoins or protocols for loanable funds). This makes
2020, the derivatives market represents about 60% of the these protocols capital inefficient as one needs to deposit
entire cryptoassets trading market [85]. While about 99% more value than taking as a loan. Hence, derivatives can form
of the derivative trading volume is achieved on centralized an alternative where traders are only required to provide a
exchanges, a number of DeFi protocols have emerged which fraction of the capital to trade the value of an underlying by,
provide similar functionality. We lay out four different basic e.g., using a perpetual or an option. Furthermore, platforms
types of derivatives: like dYdX allow traders to leverage their positions. This
• Synthetic assets. These aim to replicate the payoffs of elevates the exposure to the price movement of the derivative.
another asset without directly taking a position in that However, while centralized alternatives rely on established
asset. In DeFi, synthetic assets typically replicate off- risk management systems, DeFi alternatives must still rely on
chain assets on-chain (e.g., the USD in protocols like higher rates of collateral in absence of other forms of investor
Maker and Synthetix [24]). Though less used at present, verification.

6
 b) Settlement: Derivatives can either be physically set- transition was correct. StarkWare’s Cairo platform seeks to
tled, i.e., the underlying is transferred, or cash settled, i.e., the provide a Turing complete EVM for generating STARK proofs
price difference at time of exercising the derivative is settled in for general computation. An existing integration of STARKs
some currency. Both forms of settlements can be automatically with layer-one can be found via DiversiFi [100], purportedly
enforced in DeFi by locking the assets at stake in the trading offering 9, 000 transactions per second. Planned concrete in-
smart contracts. Cash settlement is often more capital efficient tegrations include between StarkWare and dYdX [90], where
as it requires locking only the difference in price movement, dYdX’s perpetual contracts are to be ported to layer-two lever-
e.g., in perpetual and option contracts between different points aging zK-Rollups. These zkRollups, a layer-two transaction
in time. Physically settled derivatives are mostly possible when compression mechanism where hundreds of transactions are
the asset is available on-chain (e.g., Ethereum options in bundled into a single transaction [101], would enable trades
Opyn [91]). to be submitted on chain, with an aim of reducing the gas
c) Trading: Similar to other DeFi assets, derivatives can required per trade. zkRollups are also central to Loopring’s
be traded via an AMM or order book DEX. Order book style layer-two DEX design, which performs most computations
DEX trading is very similar to centralized exchanges and the off-chain, broadcasting only the state roots of the DEX on
effectiveness of price discovery of the derivatives mostly relies chain [102].
on sufficient liquidity. However, derivatives with set expiry
dates like futures and options are hard to price on AMMs.
Most AMM platforms (e.g., Uniswap [3]) do not account for G. Privacy-preserving Mixers
a time dimension in the asset. This causes an issue specifically
with option trading since the value of the option is subject to Mixers are methods to prevent the tracing of cryptocurrency
time decay (measured by θ). An option decreases in value transactions. These are important to preserve user privacy,
over time depending on the price of the underlying. More as the transaction ledger is otherwise public information;
nuanced AMM designs like [93] aim to incorporate such a however, this also means they could be used to obscure the
time dimension. Bonding curves in AMMs are still not aware source of illicit funds. Mixers work by developing a ‘shielded
of other relationships between the underlying and option value. pool’ of assets that are difficult to trace back before entering
Hence, the AMM price of the option does not reflect the actual the pool. They typically take one of two forms: (i) mixing
option value as it relies on liquidity providers and traders to funds from a number of sources so that individual coins can’t
correct the price. With more complex value functions in the easily be traced back to address individually (also called a
AMM like Balancer [48] it is possible to replicate strategies ‘coinjoin’, e.g., [103]), or (ii) directly shielding the contents
that combine the underlying and a derivative into a single of transactions using zero knowledge proofs of transaction
asset [88]. validity (e.g., [104], [105]). Mixers serve as a DeFi-like
application itself and additionally as a piece that could be
F. DeFi on Layer-Two included within other DeFi protocols.2
Layer-two refers to a set of protocols which seek to facilitate
the scaling of blockchains (i.e., layer-one) without a change in
the trust assumptions at layer-one and without modifying the IV. T ECHNICAL S ECURITY
consensus mechanism. Layer-two protocols have emerged in a
variety of guises, perhaps most notably as payment channels
We define a DeFi security risk to be technical if an agent
and payment channel networks. For a detailed overview of
can generate a risk-free profit by exploiting the technical
layer-two protocols, we refer the reader to [14].
structure of a blockchain system, for instance, the sequential
Rollups are at the center of layer-two based approaches
and atomic execution of transactions. In current blockchain
to DeFi scalability. The central idea is that the computation
implementations, this coincides with (1) manipulating an on-
and storage of a would-be layer-one contract is handled on
chain system within a single transaction, which is risk-free
layer-two, with an on-chain assertion made about what the
for anyone, and (2) manipulating transactions within the same
layer-two contract’s operations are. Optimistic Rollups are
block, which is risk-free for the miner generating that block.
one type of rollup, where each assertion is posted without an
By exploiting technical structure, the underlying blockchain
accompanying proof to guarantee the validity of the assertion.
system allows no opportunity for markets or other agents to
The assertion can be shown to be incorrect via the posting of a
act in the course of such exploits. We identify three categories
fraud-proof [94], [95]. Arbitrum provides an example of such
of attacks that fall within technical security risks of DeFi
a rollup mechanism [96]. Additionally, at the time of writing,
protocols: attacks exploiting smart contract vulnerabilities,
Bancor [97] is testing a deployment on Arbitrum [96], [98].
attacks relying on the execution order of transactions in a
zkRollups, rollups which use zero-knowledge proofs, are
block, as well as attacks which are executed within a single
a further variant. The central idea is similar, using an off-
transaction.
chain prover which is able to compress large computations
(i.e., batches of transactions) into smaller validity proofs [99].
Such validity proofs provide evidence that the layer-one state 2 We plan to discuss these further in a subsequent version of this paper.

7
 Technical Security There are two main ways to prevent this vulnerability: (1)
A DeFi protocol is technically secure if it is not possible for using a reentrancy guard that prevents any call to a given
an attacker to obtain a risk-free profit, at the expense of the function until the end of its execution or (2) finalizing all the
protocol or its users, by exploiting the technical structure state updates before passing execution control to an untrusted
of the protocol, any interacting protocols, or the underlying contract.
blockchain. A common property of technical exploits is that Integer manipulation. Almost every DeFi application manip-
they occur within a single block. ulates monetary amounts in some way or another. This often
An overview of past technical security exploits of DeFi involves not only adding and subtracting to balances but also
protocols is given in Table I. We discuss a subset of these converting into different units or to different currencies. We
exploits as practical examples in the context of the attack present the two most common types of integer manipulation
category the exploit falls under. issues.
The first issue, which has been extensively studied in
A. Smart Contract Vulnerabilities the literature [114], [115], is integer over- and underflow.
Smart contracts being at the center of any DeFi protocol, The EVM does not raise any exception in case of over- or
any vulnerabilities in their implementation can cause them to underflow and without correct checks, such overflows could
be at loss. Smart contract vulnerabilities have been extensively stay undetected until the value is used in some sort of action
discussed in the literature [106], [107], [108] and we will such as, for example, a transaction sending a token amount.
therefore not give an extensive list of all the known vulnera- This will often result in failed transactions and cause the smart
bilities but rather focus on the one which have already been contract to misbehave [107].
exploited in the DeFi context. The second issue is unit error during integer manipulation.
While unit manipulation should in principle be a trivial task,
Reentrancy. A contract is potentially vulnerable to a reen-
limitations in the expressivity of both the programming lan-
trancy attack if it delegates control to an untrusted contract,
guage and the virtual machine, as well as poor development
by calling it with a large enough gas limit, while its state is
practices have caused issues related to this type of arithmetic
partially modified [109]. A trivial example is a contract with
operations. The main language used to develop DeFi appli-
a withdraw function that checks for the internal balance of a
cations at the time of writing is Solidity [116], which has a
user, sends him money and updates the balance. If the receiver
limited type system and no support for operator overloading.
is a contract, it can then repeatedly re-enter the victim’s
In addition, the EVM only supports a single type, 32 bytes
contract to drain the funds.
integers, and has no built-in support for fixed-point numbers.
Although this attack is already very well-known, it has been
To work around this limitation, each protocol decides on an
successfully used several times against DeFi protocols. We
arbitrary power of 10 to use as its base unit, often 1018 , and all
briefly present two of these attacks in more detail.
the computations are performed in terms of this unit. However,
dForce: One of the most prominent examples of this exploit
given the limitations of the type-system, most programs end
was against the dForce protocol [110], which features a PLF,
up using exclusively 32 bytes integers and arithmetic on two
in April 2020 to drain around 25 million USD worth of
units scaled differently would not be caught by the compiler.
funds [111]. The attacker leveraged imBTC [112], which is an
These shortcomings can result in substantial losses in practice,
ERC-777 token [28], to perform his attack. A particularity of
as the following example shows:
ERC-777 tokens, as opposed to ERC-20 tokens, is that they
YAM: In August 2020, the YAM protocol [117], which had
have a hook calling the receiver when the receiver receives
locked almost 500 million USD worth of tokens in a very
funds. This means that any ERC-777 tokens will indirectly
short period of time, realized that there was an arithmetic-
result in the receiver having control of the execution. In the
related bug. Two integers scaled to their base unit were
dForce attack, the attacker used this reentrancy pattern to
multiplied and the result not scaled back, making the result
repeatedly increase their ability to borrow without enough
orders of magnitude too large [118], [119]. This prevented the
collateral to back up their borrow position, effectively draining
governance to reach quorum and locked all the funds in the
the protocol’s funds.
protocol’s treasury contract, effectively locking over 750 000
imBTC Uniswap Pool: Another example of a reentrancy
USD worth of tokens [120] indefinitely.
attack was on an imBTC Uniswap [3] pool. Despite the
fact that Uniswap does not support ERC-777 tokens [64], an Logical bugs. There are a large number of exploits that are
imBTC pool worth roughly 300 000 USD worth of tokens was rooted in simple programming errors in the smart contracts.
drained using the above reentrancy attack. While logical bugs are by no means unique to smart contracts,
Both of these attacks show a common attack pattern in DeFi but common to any type of software, the consequences for
applications: identifying and exploiting attack vectors which smart contracts, where immutability underpins the system, can
are based on leveraging protocols’ interconnectedness, where be much more severe than for many other genres of software
the composability risks therein are often under-examined. In and result in unrecoverable financial losses.
practice, reentrancy vulnerabilities are generally simple to We will present some of the logical bugs that resulted in
detected and fix by using static analysis tools [108], [113]. notable financial losses to highlight the often trivial nature of

8
the issue encountered: Single transaction sandwich attacks. In a single transaction
bZx: In September 2020, the bZx protocol [121], a lending sandwich attack, an attacker manipulates an instantaneous
protocol, suffered a loss of over 8 million USD due to a AMM price in order to exploit a smart contract that uses
trivial logic error [122], despite having been through two that price. Instead of front- and back-running another user’s
independent audits. The bZx protocol uses its own ERC-20 transaction, the attacker sets up the imbalance, exploits com-
tokens, which are minted by locking collateral and repaid to posable contracts which rely on the manipulated price, and
redeem the locked collateral. As other ERC-20 tokens, bZx then reverses the imbalance to cancel out the cost of the first
tokens allow users to transfer the tokens. However, due to a step. The whole sequence can be performed atomically in a
logical bug, when a user transferred tokens to himself, the single transaction risk-free. Setting up the imbalance requires
amount transferred would effectively only be added to his access to large capital. In a system with flash loans/minting,
balance, and not correctly subtract from it, allowing a user all agents effectively have such access, although we stress
to double his amount of tokens at will. The tokens created that these attacks are still possible for large capital holders
could then be used to withdraw funds that the attacker never regardless of whether flash loans/minting are widespread. In
owned or locked. practice, this type of attack has occurred multiple times [126],
Opyn: In August 2020, the Opyn [91] protocol, an options [127]. To protect against such manipulations, AMMs include
trading protocol, suffered a loss of over 370 000 USD due to a limit amount (or maximum slippage) that a trade can incur,
a logical bug that allowed a user to re-use the same funds though this only prevents manipulations above this amount.
multiple times [123]. Opyn allows users to exercise their The severity single transaction sandwich attacks occurring
put options by requiring them to sell tokens, as a proof of in practice is highlighted by the following example:
ownership of the option, and the amount of underlying asset Harvest: The most prominent single transaction sandwich
to sell. In return, the users receive collateral, typically in a attack in terms of seized funds was performed against the
stable coin, from vaults acting as liquidity providers. The smart Harvest protocol [128]. The attacker took out a $50m USDT
contract handling the logic to exercise options allowed users to flash loan from Uniswap and used part of the funds to create
exercise from multiple vaults but failed to correctly update the an imbalance in the liquidity reserves of USDC and USDT
amount of underlying assets received after exercising from a on Curve [47] (an AMM) to increase the AMM’s virtual price
vault. As a result, an attacker could send a very small amount of USDT. As the price of USDT on Curve was used as an
of underlying asset to the contract and sell as much as his on-chain oracle by the Harvest protocol, the attacker was able
option would allow him to, resulting in a direct loss of money. to mint Harvest LP tokens (i.e., tokens a liquidity provider
Although these are only two instances of smart contract receives in exchange for depositing funds into a protocol)
logical bugs, a large share of the other bugs found in Table I by depositing 60.6m USDT, before reversing the imbalance
are also very simple mistakes that have been overlooked in on Curve and withdrawing 61.1m USDT from Harvest. The
both the development process and professional contract audits. attacker was able to withdraw more USDT than deposited, as
We discuss in Section VI potential mitigation techniques to at the time of the withdrawal, the USDT price given by Curve
these issues. was less than the deposit price, and therefore one Harvest LP
token was worth more USDT during withdrawal. The attacker
B. Single Transaction Attacks
repeated this attack 32 times, draining a total of $33.8m of
We refer to attacks which can be successfully executed, the protocol’s funds.
independent of knowing about some other pending transac-
tion, as single transaction attacks. This category of attack is C. Transaction Ordering Attacks
leveraging transaction atomicity and composability of smart In traditional finance, the act of front-running refers to
contracts. taking profitable actions based on non-public information on
Governance attacks. Protocols that implement some decen- upcoming trades in a market. In the context of blockchain,
tralized governance mechanisms tend to rely upon governance front-running a transaction refers to submitting a transaction
tokens, which empower token holders to propose and vote on which is solely intended to be executed before some other
protocol upgrades. Protocol upgrades come through proposals pending transaction [68]. As transactions are executed sequen-
in the form of executable code, on which governance token tially according to how they have been ordered in a block,
holders vote. In order to propose protocol updates, the pro- an agent may financially benefit from front-running one or
poser has to hold or have been delegated a required number of more transactions, by having his transaction executed before
governance tokens. For a protocol to be executed, a minimum a victim transaction. Similarly, an agent may pursue back-
number of votes is required, commonly referred to as quorum. running, whereby a transaction is intended to be executed after
An attacker may obtain an amount of governance tokens some designated transaction. As the majority of Ethereum
sufficient to propose and execute malicious contract code and miners order transactions by their gas price [129], an agent
steal a contract’s funds [124]. Given the ease with which large can set a higher or lower gas price relative to some target
quantities of governance tokens can be obtained through flash transaction, in order to have his transaction executed before
loans from PLFs and swaps from AMMs, such attacks have or after the target, respectively. In the case of multiple agents
been executed in practice [125]. attempting to front-run the same transaction, front-running re-

9
sults in priority gas auctions (PGAs) [32], i.e. the competitive Protocol Loss Audit Attack Date Ref.
bidding of transaction fees to obtain execution priority.
bZx 0.35m 3 TX sandwich Feb-15-2020 [135]
We refer to attacks which involve front- and/or back-running bZx 0.63m 3 TX sandwich Feb-18-2020 [136]
within a single block, thereby undermining the technical se- Uniswap 0.30m 3 Reentrancy Apr-18-2020 [137]
curity of DeFi protocols, as transaction ordering attacks. Note dForce 25.00m 7 Reentrancy Apr-19-2020 [111]
Hegic 0.05m 7 Logical bug Apr-25-2020 [138]
that an attacker does not need to be a miner in order to execute Balancer 0.50m 3 TX sandwich Jun-28-2020 [139]
the following attacks but such attacks can be undertaken risk- Opyn 0.37m 3 Logical bug Aug-04-2020 [123]
free if the attacker is a miner. Yam 0.75m 7 Logical bug Aug-12-2020 [118]
bZx 8.10m 3 Logical bug Sep-14-2020 [7]
Displacement attacks. In a displacement attack, an attacker Eminence 15.00m 7 TX sandwich Sep-29-2020 [140]
MakerDAO - 3 Governance Oct-26-2020 [125]
front-runs some target transaction, where the success of the Harvest 33.80m 3 TX sandwich Oct-26-2020 [10]
attack does not depend on whether the target transaction is Percent 0.97m 3 Logical bug Nov-04-2020 [141]
executed afterwards or not [68]. A simple example of such an Cheese Bank 3.3m 3 TX sandwich Nov-06-2020 [142]
Akropolis 2.00m 3 Reentrancy Nov-12-2020 [8]
attack would be an attacker front-running a transaction that Value DeFi 7.00m 7 TX sandwich Nov-14-2020 [126]
registers a domain name [130]. Origin 7.00m 3 Reentrancy Nov-17-2020 [11]
A further vector for displacement attacks applies to order 88mph 0.01m 3 Logical bug Nov-17-2020 [143]
Pickle 19.70m 7 Logical bug Nov-21-2020 [144]
book DEXs, on which exchange participants are required to Compounder 10.80m 3 Logical bug Dec-02-2020 [145]
submit transactions to cancel existing orders. If a user submits Cover 9.40m 3 Logical bug Dec-28-2020 [9]
a transaction to cancel an unfilled order due to price changes
before the order could be filled, an attacker could front-run the TABLE I: An overview of empirical technical security exploits
cancel transaction and fill the order. In the context of DEXs, in DeFi protocols. The included exploits are explicitly limited
the success of such front-running behavior is particularly likely to technical exploits and exclude any deliberate protocol scams
given the widespread existence of arbitrage bots engaging in that may have occurred. Note that the amount of funds seized
PGAs for execution priority [32]. per exploit is denominated in USD as of the time of the
Furthermore, when a sender intends to to make a risk- exploit and does not account for any losses that may have
free profit within a single transaction, it can be vulnerable been recovered.
to displacement attacks by generalized front-runners [131].
These bots parse all unconfirmed transactions in the mempool,
trying to identify, duplicate, modify and lastly front-run any not guarantee the attack to succeed, as ultimately it is up to a
transaction which would result in a financial profit to the front- transaction’s miner to determine the order of execution.
runner. Examples of transactions vulnerable to generalized A variant of this attack [129] can be performed if instead
front-runners would be reporting a bug as part of a bug bounty of being a liquidity taker, the attacker is a liquidity provider
scheme to claim a reward [132] and trying to ‘rescue’ funds for the respective AMM. The attacker can front-run a victim
from an exploitable smart contract [131], [133]. transaction that swaps token A for token B and remove
liquidity, exposing the victim to higher slippage. Subsequently,
Multi-transaction sandwich attacks. In a “sandwich attack”, the attacker can back-run the victim transaction, and resupply
an attacker alters the deterministic price on an AMM prior the previously withdrawn liquidity. In a third transaction that
to and after some other target transaction has been executed swaps B for A, the attacker obtains a profit in B. A formal
in order to profit from temporary imbalances in the AMM’s analysis of sandwich attacks is given in [129].
liquidity reserves. In simple cases (e.g., Uniswap), the in-
stantaneous AMM price is simply a ratio of AMM reserves V. E CONOMIC SECURITY
and imbalances can be created simply by changing this ratio
(e.g., by providing single-sided liquidity or performing a large We define a DeFi security risk to be economic if an exploit-
swap through the AMM). This is how these AMMs are ing agent can game the incentive structure of the protocol to
designed to work: swaps create imbalances, which, if left realize unintended profit at the expense of the protocol or its
unbalanced, incentivize arbitrageurs to perform the reverse users. Economic risks are inherently a problem of economic
actions to balance the AMM pool. design and cannot be solved by technical means alone. To
An attacker may target another user’s transaction (e.g., to illustrate, while these attacks could be risk-free within a single
profit from triggering large slippage in another user’s swap) by transaction or block in a very poorly constructed system that
trying to place adjacent transactions that set up the imbalance allowed it, they are not solved, for example, just by adding
right before the swap and close out the imbalance right after a time delay that ensures they are not executed in the same
the swap [129], [134]. This can be achieved through front- block (e.g., flash loans used as a way to increase voting weight
running the user’s swap transaction by setting a higher gas in governance proposals [124]).
price on the transaction creating the imbalance. By setting a The only way these attacks can be mitigated is by designing
lower gas price on the transaction closing the imbalance, the better protocol incentive structures. A common property of
attacker can back-run the user’s transaction and complete the such attacks is that they are not risk-free and involve the
attack. Note that setting high and low transaction fees does manipulation of systems across many transactions or blocks.

10
 Economic Security A central question in the context of incentive compatibility,
A DeFi protocol is economically secure if the protocol considered in [40], is the sustainability of the mechanism im-
aligns incentives among all interacting agents such that non- plemented by a system (i.e., will the incentives arising from the
technical exploits are economically infeasible. system allow the system to be economically secure and stable
long-term). In [40], for stablecoins, this is separated into a
Economic Rationality. A central assumption in considering question of incentive security, which is included in our concept
the class of economic security attacks is that of economic of economic security, and a question of economic stability,
rationality. Following the standard game theoretic approach, which is a further question of whether an economically secure
we denote the strategy for player i as si . A strategy is a plan system actually plays out to the desired equilibrium envisioned
for what to do at each decision node (equivalently, information by the designers.
set) that the agent is aware they might reach. For example, We primarily focus on the direct security questions in this
a strategy would define what action an agent would take paper; however, similar questions to economic stability apply
in the event that it finds itself in a protocol that becomes to protocols other than stablecoins as well. For instance, when
undercollateralized. A strategy s1,i ∈ §i for player i strictly designing synthetic derivatives built using dynamic portfolios
dominates another strategy s2,i ∈ §i if regardless of the actions (and implemented as AMM pools), a lingering question is
of other agents, strategy s1,i will always result in a higher how well these designs can replicate the derivative payoffs
payoff to the agent. Economic rationality is then defined as under extreme conditions. As a comparison, synthetic portfolio
follows. insurance in traditional markets can break down when markets
Economic Rationality move too fast for the strategy to rebalance (See Ch. 13 in [86]).
AMM pools aim to rebalance over much shorter timescales,
An agent is rational iff they will never play a strictly
and so may have an advantage here, but are also suboptimal
dominated strategy.
in other areas of rebalancing.
Moreover, common knowledge of rationality means that all A. Overcollateralization as Security
agents know no agent will play a strictly dominated strategy.
Collateralization is one of the primary devices to ensure
While most economic security analysis ought to consider
economic security in a protocol. As outlined in Section III-B,
attackers who have profit-maximizing objectives, it can also
in a trustless system without strong identities or legal recourse,
be important to consider attackers with other objectives. For
overcollateralization creates the economic incentive for the
instance, an attacker who wishes to shut down the system
loan to be repaid, or at least insures the lender against losses.
may decide to attack as long as the cost is of a moderate
As asset prices evolve over time, these systems generally allow
level. In this sense, the economic security depends on system
automated deleveraging: if an agent’s level of collateraliza-
interruptions being too costly to effect.
tion (value of collateral / value of borrowing) falls below a
Incentive Compatibility. Incentive compatibility is originally protocol-defined threshold, an arbitrager in the system can
a concept from game theory (e.g., [146], but as a concept has reduce the agent’s borrowing exposure in return for a portion
seen some adaption in the context of cryptoeconomics and in of their collateral at a discounted valuation. This aims to keep
particular DeFi. the system fully collateralized or solvent.
Following [147], agents can be considered to be of dif- Overcollateralization is not without risks, however. For
ferent types, which are commonly denoted θ ∈ Θ. Agents instance, as explored in [124], [149], times of financial crisis
report their type to the game designer, with the reported type (wherein there are persistent negative shocks to collateral
conventionally denoted θ̂. A mechanism is a mapping from asset prices) can result in thin, illiquid markets, in which
the set of reported agent types to a set of outcomes Y , i.e. loans may become undercollateralized despite an automated
f (θ) : Θ → Y , where an outcome is taken to comprise an deleveraging process. For instance, in such settings, it can
allocation of goods x ∈ X and a transfer of money t ∈ T . In become unprofitable for liquidators, a type of keeper, to initiate
the case of full information, the social choice function maps liquidations. Should this occur, rational agents will leave their
agents’ true types θ to an allocation of goods x ∈ X. A debt unpaid as that results in a greater payoff.
mechanism is incentive compatible if agents can do no better Another type of deleveraging risk arises when the borrowed
than report their true type to the game designer, i.e. θ̂(θ) = θ. asset has endogenous price effects, for instance when its price
In the cryptoeconomic setting, incentive compatibility takes is affected by other agents’ decisions in the system or when it
an adapted form: a mechanism is incentive compatible if is manipulable. For instance, this is the case in non-custodial
agents are incentivized to execute the mechanism as intended stablecoins like Dai that are based on leverage markets (Dai
(see e.g. [148]). is created by ‘borrowing’ it against collateral and similarly
Cryptoeconomic Incentive Compatibility must be returned to later release the collateral). As explored in
[150], [151], such stablecoins can have deleveraging feedback
A mechanism (or protocol) is incentive compatible iff agents
effects that lead to volatility in the stablecoin itself. In regions
are incentivized to execute the game as intended by the
of instability, the stablecoin will tend to become illiquid and
protocol designer.
appreciate in price (more so as they need to be purchased for

11
liquidations), which can force speculative agents who have cases, this may be a necessary component for the system
leveraged their positions to pay premium prices to deleverage. to evolve over time. However, governance can also introduce
This causes their collateral to drawdown faster than may manipulation vectors that affect security. Govenance of a DeFi
be expected, which makes the system in total less healthy protocol is typically tied to holders of governance tokens,
and may lead to shortfalls in collateralization. This was later which can often be thought of as shares in the protocol.
directly observed in Dai on ‘Black Thursday’ [152]. As further In systems where there is large flexibility for governance to
discussed in [151], such a stablecoin requires uncorrelated change the system, an important question is where governance
collateral assets to be fully stabilized from such deleveraging token value comes from. A typical aim is for the protocol
effects as stable regions are related to submartingales (i.e., to incentivize good stewardship from its governance token
agents expect collateral asset prices to appreciate). However, holders by compensating governance with cashflows from
current uncorrelated assets are primarily centralized/custodial, the system. In this case, governance token value is derived
which poses a challenge for non-custodial designs. from future dicounted cashflows. Another possibility is that
governance is directly aligned with underlying users–e.g.,
B. Threats from Miner Extractable Value because they are the same.
An assumption by many blockchain protocols is that the However, if these incentives aren’t of sufficient size, then
block reward is sufficient to incentivize “correct” miner be- the governance token value may come from less desirable
havior. However, there are consensus layer risks should the token uses–e.g., to effect changes to the protocol in ways that
MEV exceed the block reward. The simplest example of MEV provide governors outside benefit but may harm the system.
is double spending of coins, which is commonly considered in For instance, Cream governance added very risky but closely
base layer incentives. DeFi applications give rise to many new held collateral assets, arguably to their benefit but against the
sources of MEV. For instance, (1) DEXs present atomic arbi- interests of the protocol [157]. Another hypothetical gover-
trage opportunities between different trading pairs, as explored nance attack to indirectly extract collateral value is described
in [32], and (2) stablecoins built on leverage markets (like in [158]. In cases like these, governance may not be incentive
Dai) present arbitrage opportunities in liquidating leveraged compatible. And if the value of governance tokens from
positions, as explored in [150]. Similarly, other protocols, incentive compatible sources crashes, the region of incentive
like PLFs, that utilize liquidation mechanisms also create compatibility also shrinks, and it may become profitable for a
MEV opportunities. Further, MEV can arise when miners are new coalition of governors to form to attack the protocol. This
incentivized to re-order or exclude transactions based on cross- is increasingly problematic given the ease and low cost with
chain payments happening on other chains [153]. These are not which governance tokens may be obtained via flash loans and
exhaustive; there are additionally many other ways in which PLFs. Other complications arise in the need to protect minority
miners could manipulate DeFi protocols to extract value. It’s rights within the protocol–e.g., building in limitations so that
worth noting that these are not just hypothetical concerns, they a majority of governors can’t unilaterally change the game to,
have actually been observed–e.g., [154], [155]. for instance, steal all value of the other minority or users.
The practicality of MEV threats have been highlighted The capital structure-like models developed in [40] can be
in [32], where the prevalent dangers of undercutting and time- applied more generally to DeFi protocols to model governance
bandit attacks are presented. In an undercutting attack [156], security and incentive compatibility around these issues. As
an adversarial miner would fork off a block with high MEV, can be understood in those models, these issues essentially
while holding back some of the extractable value in order to arise because there may not be outside recourse (e.g., legal)
incentivize other miners to direct their computational efforts in the pseudo-anonymous setting to disincentivize attacks and
towards the adversary’s chain. In a time-bandit attack [32], manipulations compared to the (idealized) traditional finance
an attacker forks from some previous block and sources setup. Further, [40] conjectures that in the case of a fully
expected MEV to increase his computational power and pursue decentralized stablecoin with multiple classes of interested
a 51% attack until the expected MEV is realized. Hence, time- parties and with a high degree of flexibility for governance
bandit attacks are a consensus layer risk and can be a direct design, there exists no long-term incentive compatible equi-
consequence of historic on-chain actions which could profit librium. Intuitively, there are resulting costs of anarchy in
a miner at some later point. A further threat is that miners such systems, which can be too much to bear. In such a case,
could collude to set up more MEV opportunities over time, rational agents would choose not to participate. However, they
for instance by censoring transactions to top up collateral in also conjecture that other DeFi systems, such as DEXs, may
crises and thus creating more liquidation events, as discussed have wider incentive compatibility in similar situations due to
in [150]. This is very similar to events on Black Thursday, the different structure of such systems.
in which mempool manipulations contributed to inefficient
liquidation auctions in Maker [154]. D. Market and Oracle Manipulation
As the suppliers of off-chain information, oracles pose a
C. Governance Risks fundamental component of DeFi protocols, particularly for
Protocol governance often introduces means to update sys- sourcing price feeds. However, it is important to distinguish
tem parameters and even redefine entire contracts. In many between (1) a price that is manipulated yet correctly supplied

12
by an oracle and (2) an oracle itself being manipulated. While remedying the technical security issues using, for instance,
we present each form of manipulation, note that the latter can time-weighted average prices. Furthermore, on-chain DEX
be essentially modeled as a separate governance-type risk as oracles inherently can not price off-chain assets and fiat
discussed in [40]. currencies. For instance, cryptoasset prices may be quoted
1) Market Manipulation: We wish to quantify economic in stablecoins through DEX oracles, but this faces the same
risks stemming from price manipulations in underlying mar- inherent problem: we then rely on that stablecoin, which may
kets while assuming the oracle follows a best practice imple- be manipulated or fail, for the data feed.
mentation and is non-malicious. An adversary may manipulate As discussed in [40], decentralized oracle solutions for off-
the market price (on-chain or off-chain) of an asset over a chain data exist. However, they are yet imperfect solutions.
certain time period if a profit can be realized as a consequence These tend to rely on Schelling point games, in which agents
of the price manipulation–e.g., by taking positions in a DeFi vote on the correct price values and are incentivized against
protocol that uses that market price as an oracle. As discussed having their stake slashed if their vote deviates from the
in the Section IV, instantaneous AMM prices are easily consensus. However, tying incentives to consensus, when the
manipulable with near zero cost and, as a result, should not be correctness of the consensus decision is not objectively verifi-
used as price oracles. Market manipulation problems persist able (as in this case), paves a vector for game theoretic attacks,
even when we assume the oracle is not an instantaneous AMM like in Keynesian beauty contests. Widely used decentralized
price. In this case, there is a cost to market manipulation oracles, such as Chainlink [162], try to mitigate this problem
related to maintaining a market imbalance over time, whether by aggregating data feeds from multiple sources (e.g., by
in an AMM (e.g., to manipulate a time-weighted average price) calculating the median) and relying on reputation systems to
or through filling unfilled orders in an order book. Depending curate reliable sources. These systems may still suffer from
on whether the market for an asset is thick or thin, the cost similar game theoretic issues, however.
for an attacker to significantly change the asset’s price will be
higher or lower, respectively. An example of such an attack VI. O PEN R ESEARCH C HALLENGES
would be to trigger liquidations by manipulating an asset’s There are many open research challenges in DeFi stemming
price, as discussed in the context of stablecoins in [150]. An from the technical and economic security issues presented in
attacker could profit either by purchasing liquidated collateral Sections IV and V.
at a discount or shorting the collateral asset by speculating on
a liquidation spiral. Such attacks are similar to short-squeezes A. Composability Risks
in traditional markets. However, unlike with single transaction Cryptoassets can be easily and repeatedly tokenized and
sandwich attacks, the aforementioned attack is not risk-free interchanged between DeFi protocols in a manner akin to
and could bring substantial losses to the attacker should it fail. rehypothecation. This offers the potential to construct com-
In particular, markets and agents may react to such attacks in plex, inter-connected financial systems, yet bears the danger
unpredicted ways. of exposing agents to composability risks, which are as of
To illustrate the potential of such attacks, the stablecoin yet mostly unquantified. An example of composability risk is
DAI, which historically has thin liquidity, traded at a tem- the use of flash loans for manipulating instantaneous AMMs
porary price of $1.30 over a course of about 20 minutes and financially exploiting protocols that use those AMMs
on Coinbase Pro, a major centralized cryptoasset exchange, as price feeds. This has repeatedly been exploited in past
before returning to its intended $1 peg [159]. As a result, the attacks (e.g. [10], [163], [142]). Many protocols still struggle
Compound Open Price Feed [160], a cryptoasset price oracle to implement sufficient protective measures for addressing this
which is in part based on prices signed by Coinbase, reported risk.
a DAI price of $1.23 to Compound for a short period of time. The breadth of composability risks spans far beyond the
This incident triggered (arguably wrongful) liquidations on negative externalities stemming from instantaneous AMM
collateral worth approximately $89m, costing the liquidated manipulations. For instance, there remain open questions about
Compound borrowers 23% (from the imbalanced DAI price) the consequences of the following types of exploitations on
plus an additional 5% (the Compound liquidation incentive, connecting systems: the accumulation of governance tokens
i.e., the discount at which collateral is sold at during a to execute malicious protocol updates, the failure of non-
liquidation) on their liquidated assets. custodial stablecoin incentives to ensure price stability, and
2) Oracle Manipulation: Centralized oracles serve as a failure of PLF systems to remain solvent. Note, however, that
single point of failure and despite trusted execution environ- this list is far from exhaustive. These become increasingly
ments [161] they remain vulnerable to the provider behaving important issues as more complex token wrapping structures
maliciously if incentives are sufficient for manipulating the stimulate higher degrees of protocol interconnectedness. For
source of a data feed. Decentralized price oracles may use example, the use of PLF deposit tokens (as opposed to
on-chain data, most notably on DEXs (specifically AMMs) the tokens in their original forms) within AMM pools and
for crypto-to-crypto price data. However, as outlined in Sec- strategies to earn yield on underlying assets through leverage
tion IV-B, prices may be manipulable through intentionally by borrowing non-custodial stablecoins and depositing into
created imbalances and thinly traded markets, even after PLFs or AMMs.

13
 Recent works [76], [164] begin to explore protocol inter- • Designing mechansism that protect against consensus
dependence; however there remains a critical gap in DeFi layer instability risks that are induced by high MEV
research toward taxonimizing and formalizing models to quan- incentives.
tify composability risks. This problem is elevated as a holistic • How the emergence of MEV opportunities endogenously
view on the integrated protocols is necessary: failures might affects agents’ behavior within DeFi protocols. Models
arise from both technical and economic risks. Ensuring safety for this are started in the context of stablecoins in [40].
of protocol composition will be close to impossible for any • Developing mechanisms to secure protocols against time
protocol designer and forms a major challenge for DeFi going bandit attacks that seek to rewrite the recent transaction
forward. history–for example, which could aim to trigger and profit
from increased protocol liquidations.
B. Governance
Toward the last point, [150] suggests that oracle price
We identify important research directions in governance: validity could be tied to recent block hashes to prevent
• Generally, modeling incentive compatibility of gover- such reorderings from extracting the protocol value, though
nance in various systems. For instance, setting up models, potentially with costs to the economic security of the protocol
finding equilibria, and understanding how other agents in in other ways.
the system respond. The models in [40] get this started in We conjecture that the miner’s problem to optimize the
the context of stablecoins and additionally discuss how MEV they extract in a block is NP-hard and additionally hard
to extend to other DeFi protocols. There is moreover a to approximate. To support this, it is quite easy to reduce a
range of discussions around simulating and formalizing simplified version of the problem, in which the MEV of each
governance incentives through tools like cadCAD [165]. transaction is fixed, to the knapsack problem. Note that while
• Formally exploring how technical security can be com- the knapsack problem is NP-hard, it is easy to approximate. In
promised by borrowing of governance tokens via flash fact, we expect a more realistic version of the miner’s problem
loans and PLFs. to be harder than knapsack because the transaction ordering
• From an economic security perspective, formally explor- the miner chooses also changes the MEV of the transactions
ing how incentive compatibility is further complicated by (i.e., swapping two elements might change their weight in
the borrowing of governance tokens via PLFs. knapsack).
• Generally, how to structure governance incentives to Several protective measures against MEV-based attacks
reward good stewardship: e.g., intrinsic vs. monetary have emerged. One takes the form of trust-based dark pools
reward, reward per vote vs. reward per token holder, and whereby unconfirmed transactions are routed to permissioned
measures of good stewardship. mempools hosted by a mining pool [166], [167], which is
• Formally evaluating protection of minority agents in trusted to not extract MEV. Note, however, that this under-
systems with flexible governance. mines the system’s decentralization objective and may thereby
introduce issues of its own. A second approach tries to contain
C. Oracles
MEV by restricting certain DeFi roles that rebalance systems,
We highlight a few open challenges about oracle design and so could extract value, to a permissioned agent set (e.g.,
and security. Note that, in many cases, the oracle problem can [168]). For instance, only permissioned agents may be able
also be directly related to the governance problem, as typically to perform liquidations in a protocol. Note that this similarly
governors are tasked with choosing the oracles that are used. introduces decentralization issues and trust assumptions. A
• How to structure oracle incentives to maintain incentive third proposal has been to create MEV auctions that sell the
compatibility to report correct prices. This is similar to right to decide transaction ordering ahead-of-time, and so put
governance design in some ways and needs to take into an expected price on front-running [169]. This provides value
account the possible game theoretic manipulations that that potentially goes back to the network. This is not without
could be profitable. downsides as well, however. As discussed in [170], such a
• Designing and evaluating the security of various oracle protocol would reduce frictions to turning MEV extraction,
strengthening methods: e.g., medianizers, reputation sys- which is in general a very hard optimization problem, into a
tems, and grounding reported prices based on on-chain specialized industry that would end up extracting more MEV
verifiable metrics. long-term. The concept of MEV auctions was further devel-
oped by the Flashbots research initiative [171], which proposes
D. Miner Extractable Value
a mechanism by which miners delegate the task of finding
We identify important research directions in MEV: the most profitable ordering of a transaction set to third party
• Developing methodology for quantifying the level of agents called searchers. Subsequently, searchers participate in
MEV opportunities. As we expand on below, we expect a sealed bid auction and bid for their transaction bundle to be
this problem to be computationally difficult. included by a miner in the next block. A first proof-of-concept
• Developing methodology to quantify negative externali- implementation of a MEV Ethereum client implementing the
ties of MEV–e.g., from wasted gas per block, upward gas proposed mechanism has been developed [172]. It remains an
price pressure. open problem to develop and evaluate the trade-offs of such

14
mechanisms. identify a research gap for novel approaches that provides an
agent with the ability to source liquidity via other forms of
E. Program Analysis loans. A simple form is just to change the asset that is used as
There exists a large amount of work [173], both in the security, for example, borrowers could collateralize non-
academia [113], [108], [174] and industry [175], [176], to fungible assets like domains or other digital goods.
analyze smart contract bugs and vulnerabilities. While smart However, another interesting form of undercollaterized
contracts analysis tools keep improving, the number and scale loans can come in the form of start-up funding. The ICO wave
of smart contracts exploits are showing no sign of decrease of 2017/18 produced very few projects that managed to ship
and are, on the contrary, becoming more frequent. Although products to market. Improvements were suggested following
program analysis tools are no silver bullet and cannot prevent this. One example is the DAICO, in which investors would
all exploits, Table I and the discussed exploits in section IV fund a new organization by providing funds into a smart
hint that there are some recurring patterns that could be auto- contract that has a predetermined ‘tap’ from which funds
matically detected and prevented. We argue that improvements can be extracted over time. The investors would be able to
in program analysis could prevent many of the exploits we withdraw the funds in case progress of the project failed to
have seen. meet expectations [183]. This could be further combined with
Current program analysis tools can mainly be divided into distributing governance tokens to investors over time.
two categories: (1) fully automatic tools checking for program
invariants and (2) semi-automated verification tools checking G. Anonymity and Privacy
for user-defined properties [174], [177], [178]. While the latter The anonymity and privacy of DeFi protocols is at present
allows to verify business logic in ways that are not fully a significantly understudied area. There is a tension between
automatable, they are typically non-trivial to setup and require user’s privacy being valuable in itself, while at the same time
knowledge of software verification, which limits their use helping malicious users to escape the consequences of their
to projects with enough resources. On the other hand, fully actions. At present, a large proportion of DeFi transactions
automatic tools, which can be very easily setup and ran, occurs in protocols built on Ethereum, wherein agents at
usually focus on checking properties of a single contract in best have pseudoanonymity. This means that if an agent’s
isolation [108], [114], [176], [179], such as unchecked excep- real-world identity can be linked to an on-chain address,
tions or integer overflows. However, they have not evolved yet all the actions undertaken by the agent through that address
to embrace the composable nature of smart contracts, which are observable. While recent advances in zero-knowledge
makes it impossible for such tools to reason about scenarios proofs [184], [185] and multi-party computations [186], [187]
where the issue happens due to a change in something external hold many promises, these technologies are yet to gain traction
to the smart contracts, such as a sudden change in a price in the context of DeFi. One of the main friction point is the
returned by an oracle. Further, most tools reason very little large computational cost of these technologies, which make
about semantic properties of the smart contracts, such as them very expensive to use and deploy in the context of DeFi.
how can a particular execution path influence its ERC-20 A decrease of computational cost of the underlying blockchain
token balances. We believe that improvements in these areas will be key to how widely privacy-preserving technologies can
will allow auditors and developers to analyze and deploy be deployed by DeFi protocols.
their contracts with more confidence, reducing the number of
technical security exploits. VII. C ONCLUSION
In this paper, we provided the first SoK on DeFi, an
F. Undercollateralized Loans increasingly complex system of financial applications which
As a means of protecting protocols from losses incurred by is exposed to its own classes of security risks. We introduced
pseudonymous agents not repaying loans, overcollateralization DeFi from two point of views: the DeFi Optimist and the DeFi
serves as a fundamental building block in DeFi protocols. Pessimist and subsequently examined the workings of DeFi
However, overcollateralized loans are expensive from an ac- systematically and at length. First, we laid out the primitives
cess to capital point of view, especially when compared for DeFi to then categorize the existing DeFi protocols by
to the cost of obtaining funds via traditional bank loans. the type of operation they provide. We examined the security
Overcollateralization restricts capital access to a set of wealthy challenges protocols are exposed to by making a distinction
agents and incurs the opportunity cost of being unable to between technical and economic security risks. By doing so,
employ excess collateral elsewhere. we were able to systematize attacks that have been proposed
In DeFi, non-collateralized loans only exist in the form of in theory and/or occurred in practice into categories of attacks
flash loans and credit delegation lines, where the former is that either rely on an agent’s ability to generate risk-free profits
only available for the duration of a single transaction and by exploiting the technical structure of a blockchain or to game
the latter requires strong identities and trust in some legal the incentive structure of a protocol to obtain a profit at the
system which holds parties liable in case of contract breach expense of the protocol. Finally, we drew the attention to open
(e.g. Aave’s credit delegation [180]). While there has been research challenges that require a holistic understanding of
research into collateral reduction mechanisms [181], [182], we both the technical and economic risks.

15
 Referring back to the views of the DeFi Optimist and Pes- [20] DeFi Pulse, “What is defi?” 2019. [Online]. Available: https:
simist, in this paper, we are not weighing in on the moral trade- //defipulse.com/blog/what-is-defi/
[21] S. P. Jones, J.-M. Eber, and J. Seward, “Composing contracts: an
off, but present a set of tools to be able to evaluate it. While adventure in financial engineering,” ACM SIG-PLAN Notices, vol. 35,
DeFi may have the potential for creating a permissionless and no. 9, pp. 280–292, 2000.
non-custodial financial system, the headwinds in the form of [22] R. Daniel and B. Roth, “weth — erc20 tradable version of eth,” 2020.
[Online]. Available: https://weth.io/
open security challenges remain strong. In the end, however, [23] W. Bitcoin, “Wbtc wrapped bitcoin an erc20 token backed 1:1 with
it is the blend between promise and challenge what makes bitcoin,” 2020. [Online]. Available: https://wbtc.network/
DeFi an area worthwhile for technical and economic security [24] Synthetix, “Synthetix — decentralised synthetic assets,” 2020.
[Online]. Available: https://www.synthetix.io
research.
[25] F. Vogelsteller and V. Buterin, “Eip-20: Erc-20 token standard,” 2015.
[Online]. Available: https://eips.ethereum.org/EIPS/eip-20
R EFERENCES [26] W. Entriken, D. Shirley, J. Evans, and N. Sachs, “Eip-721:
Erc-721 non-fungible token standard,” 2018. [Online]. Available:
[1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008. https://eips.ethereum.org/EIPS/eip-721
[2] DeFi Pulse, “The decentralized finance leaderboard at defi pulse,” [27] M. Fröwis, A. Fuchs, and R. Böhme, “Detecting token systems on
2020. [Online]. Available: https://defipulse.com/ ethereum,” in International conference on financial cryptography and
[3] Uniswap, “Uniswap,” 2020. [Online]. Available: https://app.uniswap. data security. Springer, 2019, pp. 93–112.
org/#/swap [28] J. Dafflon, J. Baylina, and T. Shababi, “Eip-777: Erc777 token
[4] Coinbase, “Coinbase,” 2020. [Online]. Available: https://www.coinba standard,” 2017. [Online]. Available: https://eips.ethereum.org/EIPS/e
se.com/ ip-777
[5] O. Godbole, “Defi flippening comes to exchanges as uniswap topples [29] W. Radomski, A. Cooke, P. Castonguay, J. Therien, E. Binet,
coinbase in trading volume,” CoinDesk, 2020. [Online]. Available: and R. Sandford, “Eip-1155: Erc-1155 multi token standard,” 2018.
https://www.coindesk.com/defi-flippening-uniswap-topples-coinbase- [Online]. Available: https://eips.ethereum.org/EIPS/eip-1155
trading-volume
[30] V. Minacori, “Eip-1363: Erc-1363 payable token,” 2020. [Online].
[6] DeFi Hacks, “Defi hacks,” 2021. [Online]. Available: https: Available: https://eips.ethereum.org/EIPS/eip-1363
//defihacks.wiki/
[31] A. Narayanan, J. Bonneau, E. Felten, A. Miller, and S. Goldfeder, Bit-
[7] P. Baker, “Defi lender bzx loses $8m in third attack this year,”
coin and cryptocurrency technologies: a comprehensive introduction.
CoinDesk, 2020. [Online]. Available: https://www.coindesk.com/defi-
Princeton University Press, 2016.
lender-bzx-third-attack
[32] P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Brei-
[8] T. Wright, “Akropolis defi protocol ‘paused’ as hackers get away
denbach, and A. Juels, “Flash boys 2.0: Frontrunning, transaction
with $2m in dai,” 2020, accessed: 29-12-2020. [Online]. Available:
reordering, and consensus instability in decentralized exchanges,” arXiv
https://cointelegraph.com/news/akropolis-defi-protocol-paused-as-
preprint arXiv:1904.05234, 2019.
hackers-get-away-with-2m-in-dai
[33] P. McCorry, A. Hicks, and S. Meiklejohn, “Smart contracts for bribing
[9] K. Reynolds and D. Pan, “Cover protocol attack perpetrated
miners,” in International Conference on Financial Cryptography and
by ‘white hat,’ funds returned, hacker claims,” CoinDesk, 2020.
Data Security. Springer, 2018, pp. 3–18.
[Online]. Available: https://www.coindesk.com/cover-protocol-attack-
perpetrated-by-white-hat-all-funds-returned-hacker-claims [34] F. Winzer, B. Herd, and S. Faust, “Temporary censorship attacks in
the presence of rational miners,” in 2019 IEEE European Symposium
[10] Harvest Finance, “Harvest flashloan economic attack post-mortem,”
on Security and Privacy Workshops (EuroS&PW). IEEE, 2019, pp.
2020, accessed: 29-12-2020. [Online]. Available: https://medium.c
357–366.
om/harvest-finance/harvest-flashloan-economic-attack-post-mortem-
3cf900d65217 [35] R. Leshner and G. Hayes, “Compound: The money market protocol,”
[11] M. Liu, “Urgent: Ousd was hacked and there has been a 2019. [Online]. Available: https://compound.finance/documents/Com
loss of funds,” 2020, accessed: 29-12-2020. [Online]. Available: pound.Whitepaper.pdf
https://medium.com/originprotocol/urgent- ousd- has- hacked- and- [36] AAVE, “Aave: Protocol whitepaper v1.0,” 2020, accessed: 13-08-2020.
there-has-been-a-loss-of-funds-7b8c4a7d534c [Online]. Available: https://github.com/aave/aave-protocol/blob/master
[12] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. /docs/Aave Protocol Whitepaper v1 0.pdf
Felten, “Sok: Research perspectives and challenges for bitcoin and [37] Maker, “The maker protocol: Makerdao’s multi-collateral dai
cryptocurrencies,” in 2015 IEEE symposium on security and privacy. (mcd) system,” accessed: 08-06-2020. [Online]. Available: https:
IEEE, 2015, pp. 104–121. //makerdao.com/en/whitepaper/
[13] S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, S. Meik- [38] Synthetix, “Litepaper,” 2020, accessed: 06-12-2020. [Online].
lejohn, and G. Danezis, “Sok: Consensus in the age of blockchains,” Available: https://docs.synthetix.io/litepaper/
in Proceedings of the 1st ACM Conference on Advances in Financial [39] J. Peterson and J. Krug, “Augur: a decentralized, open-source platform
Technologies, 2019, pp. 183–198. for prediction markets,” arXiv preprint arXiv:1501.01042, 2015.
[14] L. Gudgeon, P. Moreno-Sanchez, S. Roos, P. McCorry, and A. Gervais, [40] A. Klages-Mundt, D. Harz, L. Gudgeon, J.-Y. Liu, and A. Minca,
“Sok: Off the chain transactions,” IACR Cryptol. ePrint Arch., vol. “Stablecoins 2.0: Economic foundations and risk-based models,” in
2019, p. 360, 2019. Proceedings of the 2nd ACM Conference on Advances in Financial
[15] A. Zamyatin, M. Al-Bassam, D. Zindros, E. Kokoris-Kogias, Technologies, 2020, pp. 59–79.
P. Moreno-Sanchez, A. Kiayias, and W. J. Knottenbelt, “Sok: commu- [41] B. Liu and P. Szalachowski, “A first look into defi oracles,” 2020.
nication across distributed ledgers.” IACR Cryptol. ePrint Arch., 2020. [42] W. Reijers, F. O’Brolcháin, and P. Haynes, “Governance in blockchain
[16] R. Zhang, R. Xue, and L. Liu, “Security and privacy on blockchain,” technologies & social contract theories,” Ledger, vol. 1, pp. 134–151,
ACM Computing Surveys (CSUR), vol. 52, no. 3, pp. 1–34, 2019. 2016.
[17] G. Wood et al., “Ethereum: A secure decentralised generalised trans- [43] R. Beck, C. Müller-Bloch, and J. L. King, “Governance in the
action ledger,” Ethereum project yellow paper, vol. 151, no. 2014, pp. blockchain economy: A framework and research agenda,” Journal of
1–32, 2014. the Association for Information Systems, vol. 19, no. 10, p. 1, 2018.
[18] V. Buterin, “A next-generation smart contract and decentralized appli- [44] B. E. Lee, D. J. Moroz, and D. C. Parkes, “The political economy of
cation platform,” white paper, vol. 3, no. 37, 2014. blockchain governance,” Available at SSRN 3537314, 2020.
[19] D. Perez and B. Livshits, “Broken metre: Attacking resource metering [45] Compound, “Compound finance,” 2019. [Online]. Available: https:
in EVM,” in 27th Annual Network and Distributed System Security //compound.finance/
Symposium, NDSS 2020, San Diego, California, USA, February [46] MakerDAO, “Makerdao,” 2019. [Online]. Available: https://makerdao
23-26, 2020. The Internet Society, 2020. [Online]. Available: .com/en/
https://www.ndss-symposium.org/ndss-paper/broken-metre-attacking- [47] Curve Finance, “Curve.fi,” 2020, accessed: 20-08-2020. [Online].
resource-metering-in-evm/ Available: https://www.curve.fi/

16
[48] Balancer Labs, “BAL – balancer governance token,” 2020, accessed: [74] Y. Zhang, X. Chen, and D. Park, “Formal specification of constant
20-08-2020. [Online]. Available: https://docs.balancer.finance/protoco product (xy= k) market maker model and implementation,” 2018.
l/bal-balancer-governance-token [Online]. Available: https://github.com/runtimeverification/verified-
[49] G. Hileman and M. Rauchs, “Global cryptocurrency benchmarking smart-contracts/blob/uniswap/uniswap/x-y-k.pdf
study,” Cambridge Centre for Alternative Finance, vol. 33, pp. 33– [75] G. Angeris, A. Evans, and T. Chitra, “When does the tail wag the dog?
113, 2017. Curvature and market making,” arXiv preprint arXiv:2012.08040, 2020.
[50] T. Moore and N. Christin, “Beware the middleman: Empirical analysis [76] L. Gudgeon, S. M. Werner, D. Perez, and W. J. Knottenbelt, “Defi
of bitcoin-exchange risk,” in International Conference on Financial protocols for loanable funds: Interest rates, liquidity and market effi-
Cryptography and Data Security. Springer, 2013, pp. 25–33. ciency,” in Proceedings of the 2nd ACM Conference on Advances in
[51] C. Decker and R. Wattenhofer, “Bitcoin transaction malleability and Financial Technologies, 2020, p. 92–112.
mtgox,” in European Symposium on Research in Computer Security. [77] M. Bartoletti, J. H.-y. Chiang, and A. Lluch-Lafuente, “Sok: Lending
Springer, 2014, pp. 313–326. pools in decentralized finance,” arXiv preprint arXiv:2012.13230, 2020.
[52] P. Rizzo, “Poloniex loses 12.3% of its bitcoins in latest bitcoin [78] D. Perez, S. M. Werner, J. Xu, and B. Livshits, “Liquidations: Defi on
exchange hack,” CoinDesk, 2014. [Online]. Available: https://www.coin a knife-edge,” arXiv preprint arXiv:2009.13235, 2020.
desk.com/poloniex-loses-12-3-bitcoins-latest-bitcoin-exchange-hack [79] K. Qin, L. Zhou, B. Livshits, and A. Gervais, “Attacking the defi
[53] T. Fusaro and M. Hougan, “Bitwise asset management: Presentation ecosystem with flash loans for fun and profit,” 2020.
to the us securities and exchange commission,” 2019. [Online]. [80] Alethio, “Illiquidity and bank run risk in defi,” 2019. [Online].
Available: https://www.sec.gov/comments/sr-nysearca-2019-01/srnys Available: https://medium.com/alethio/overlooked-risk-illiquidity-and-
earca201901-5164833-183434.pdf bank-runs-on-compound-finance-5d6fc3922d0d
[54] Alameda Research, “Investigation into the legitimacy of reported [81] T. Limited, “Tether: Fiat currencies on the bitcoin blockchain,”
cryptocurrency exchange volume,” 2019. [Online]. Available: https: 2016, accessed: 08-06-2020. [Online]. Available: https://tether.to/wp-
//ftx.com/volume-report-paper.pdf content/uploads/2016/06/TetherWhitePaper.pdf
[55] L. X. Lin, E. Budish, L. W. Cong, Z. He, J. H. Bergquist, M. S. [82] J. Lee, “Nubits,” 2014. [Online]. Available: https://nubits.com/NuWhi
Panesir, J. Kelly, M. Lauer, R. Prinster, S. Zhang et al., “Deconstructing tepaper.pdf
decentralized exchanges,” Stanford Journal of Blockchain Law & [83] F. Feng and B. Weickmann, “Set: A protocol for baskets of tokenized
Policy, 2019. assets,” 2019. [Online]. Available: https://www.setprotocol.com/pdf/se
[56] Index, “Index: A comprehensive list of decentralized exchanges t protocol whitepaper.pdf
(dex).” [Online]. Available: https://distribuyed.github.io/index/ [84] A. Cronje, “yEARN,” 2020. [Online]. Available: https://yearn.finance
[57] W. Warren and A. Bandeali, “0x: An open protocol for [85] CryptoCompare, “Cryptocompare exchange review, november 2020,”
decentralized exchange on the ethereum blockchain,” URL: 2020. [Online]. Available: https://www.cryptocompare.com/media/37
https://github.com/0xProject/whitepaper, 2017. 621821/cryptocompare exchange review 2020 11.pdf
[58] A. Zamyatin, D. Harz, J. Lind, P. Panayiotou, A. Gervais, and W. Knot- [86] J. Hull et al., Options, futures and other derivatives/John C. Hull.
tenbelt, “Xclaim: Trustless, interoperable, cryptocurrency-backed as- Upper Saddle River, NJ: Prentice Hall,, 2009.
sets,” in 2019 IEEE Symposium on Security and Privacy (SP). IEEE,
[87] J. Clark, “The replicating portfolio of a constant product market,”
2019, pp. 193–210.
Available at SSRN 3550601, 2020.
[59] Ren, “Ren,” 2021. [Online]. Available: https://renproject.io/
[88] A. Evans, “Liquidity provider returns in geometric mean markets,”
[60] IDEX, “Idex 2.0: The next generation ofnon-custodial trading,” URL: arXiv preprint arXiv:2006.08806, 2020.
https://idex.io/document/IDEX-2-0-Whitepaper-2019-10-31.pdf, 2019.
[89] BitMEX, “Bitmex perpetual contracts guide,” 2020. [Online].
[61] N. Beneš, “Introducing the dutchx,” 2017. [Online]. Available: Available: https://www.bitmex.com/app/perpetualContractsGuide
https://blog.gnosis.pm/introducing- the- gnosis- dutch- exchange-
[90] dYdX, “dydx,” 2019. [Online]. Available: https://dydx.exchange/
53bd3d51f9b2
[91] Opyn, “Opyn,” 2020. [Online]. Available: https://opyn.co/#/
[62] Gnosis, “Introduction to gnosis protocol,” 2020. [Online]. Available:
https://docs.gnosis.io/protocol/docs/introduction1/ [92] M. Wintermute, “Hegic: On-chain options trading protocol on
ethereum powered by hedge contracts and liquidity pools,” 2020,
[63] M. Egorov, “Stableswap - efficient mechanism for stablecoin liquidity,”
accessed: 13-11-2020. [Online]. Available: https://ipfs.io/ipfs/QmWy8
2019. [Online]. Available: https://www.curve.fi/stableswap-paper.pdf
x6vEunH4gD2gWT4Bt4bBwWX2KAEUov46tCLvMRcME
[64] Uniswap, “Uniswap whitepaper,” 2020, accessed: 26-08-2020.
[Online]. Available: https://hackmd.io/@HaydenAdams/HJ9jLsf [93] A. Niemerg, D. Robinson, and L. Livnev, “Yieldspace,” https://yield.
Tz#%F0%9F%A6%84-Uniswap-Whitepaper is/YieldSpace.pdf, 2020.
[65] F. Martinelli and N. Mushegian, “Balancer whitepaper: A non-custodial [94] M. Al-Bassam, A. Sonnino, and V. Buterin, “Fraud and data availability
portfolio manager, liquidity provider, and price sensor.” 2019, accessed: proofs: Maximising light client security and scaling blockchains with
26-08-2020. [Online]. Available: https://balancer.finance/whitepaper/ dishonest majorities,” arXiv preprint arXiv:1809.09044, 2018.
[66] A. A. Zarir, G. A. Oliva, Z. M. J. Jiang, and A. E. Hassan, “Developing [95] A. Zamyatin, Z. Avarikioti, D. Perez, and W. J. Knottenbelt, “Txchain:
cost-effective blockchain-powered applications: A case study of the Efficient cryptocurrency light clients via contingent transaction aggre-
gas usage of smart contracts transactions in the ethereum blockchain gation.” IACR Cryptol. ePrint Arch., vol. 2020, p. 580, 2020.
platform,” ACM Trans. Softw. Eng. Methodol, vol. 1, no. 1, 2020. [96] H. Kalodner, S. Goldfeder, X. Chen, S. M. Weinberg, and E. W. Felten,
[67] S. M. Werner, P. J. Pritz, and D. Perez, “Step on the gas? A better “Arbitrum: Scalable, private smart contracts,” in 27th {USENIX}
approach for recommending the ethereum gas price,” arXiv preprint Security Symposium ({USENIX} Security 18), 2018, pp. 1353–1370.
arXiv:2003.03479, 2020. [97] Bancor, “Bancor,” 2021. [Online]. Available: https://blog.bancor.netw
[68] S. Eskandari, S. Moosavi, and J. Clark, “Sok: Transparent dishonesty: ork/
front-running attacks on blockchain,” in International Conference on [98] O. Labs, “Offchain labs,” 2021. [Online]. Available: https://offchainla
Financial Cryptography and Data Security. Springer, 2019, pp. 170– bs.com/
189. [99] StarkWare, “Hello, cairo!” 2020. [Online]. Available: https://medium
[69] M. Koeppelmann, “Tweet,” 18 July 2020. [Online]. Available: .com/starkware/hello-cairo-3cb43b13b209
https://twitter.com/koeppelmann/status/1284502534208528385 [100] DiversiFi, “Diversifi,” 2020. [Online]. Available: https://www.deversif
[70] Gnosis, “API3 IDO incident - post mortem,” 2020. [Online]. Available: i.com/
https://hackmd.io/@n6YCqowrQduQ5u25wSoRXw/Hylnk7SjD [101] Ethhub, “Zk-rollups,” 2021. [Online]. Available: https://docs.ethhub.io
[71] R. Hanson, “Combinatorial information market design,” Information /ethereum-roadmap/layer-2-scaling/zk-rollups
Systems Frontiers, vol. 5, no. 1, pp. 107–119, 2003. [102] Loopring, “Loopring zkrollup exchange and payment protocol,” 2021.
[72] G. Angeris and T. Chitra, “Improved price oracles: Constant function [Online]. Available: https://loopring.org/#/
market makers,” Proceedings of the 2nd ACM Conference on Advances [103] W. Wallet, “Wasabi wallet,” 2021. [Online]. Available: https:
in Financial Technologies, 2020. //wasabiwallet.io/
[73] G. Angeris, H.-T. Kao, R. Chiang, C. Noyes, and T. Chitra, “An [104] Tornado, “Tornado,” 2021. [Online]. Available: https://tornado.cash/
analysis of uniswap markets,” Cryptoeconomic Systems Journal, 2019. [105] Zcash, “Zcash,” 2021. [Online]. Available: https://z.cash/

17
[106] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum [129] L. Zhou, K. Qin, C. F. Torres, D. V. Le, and A. Gervais, “High-
smart contracts (sok),” in International conference on principles of frequency trading on decentralized on-chain exchanges,” arXiv preprint
security and trust. Springer, 2017, pp. 164–186. arXiv:2009.14021, 2020.
[107] D. Perez and B. Livshits, “Smart contract vulnerabilities: Does anyone [130] H. A. Kalodner, M. Carlsten, P. Ellenbogen, J. Bonneau, and
care?” arXiv preprint arXiv:1902.06710, 2019. A. Narayanan, “An empirical study of namecoin and lessons for
[108] P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Buenzli, and decentralized namespace design.” in WEIS. Citeseer, 2015.
M. Vechev, “Securify: Practical security analysis of smart contracts,” [131] D. Robinson, “Etherum is a dark forest,” 2020, accessed: 24-11-2020.
in Proceedings of the 2018 ACM SIGSAC Conference on Computer [Online]. Available: https://medium.com/@danrobinson/ethereum-is-
and Communications Security, 2018, pp. 67–82. a-dark-forest-ecc5f0505dff
[109] M. Rodler, W. Li, G. O. Karame, and L. Davi, “Sereum: [132] L. Breidenbach, P. Daian, F. Tramèr, and A. Juels, “Enter the hydra:
Protecting existing smart contracts against re-entrancy attacks,” Towards principled bug bounties and exploit-resistant smart contracts,”
in Proceedings of 26th Annual Network & Distributed System in 27th {USENIX} Security Symposium ({USENIX} Security 18), 2018,
Security Symposium (NDSS), February 2019. [Online]. Available: pp. 1335–1352.
http://tubiblio.ulb.tu-darmstadt.de/111410/ [133] samczsun, “Escaping the dark forest,” 2020, accessed: 24-11-2020.
[110] dForce, “dforce,” 2020. [Online]. Available: https://dforce.network/ [Online]. Available: https://samczsun.com/escaping-the-dark-forest
[134] M. Swende, “Blockchain frontrunning,” 2017. [Online]. Available:
[111] W. Foxley and N. De, “Weekend attack drains decentralized protocol
https://swende.se/blog/Frontrunning.html
dforce of $25m in crypto,” CoinDesk, 2020. [Online]. Available:
https://www.coindesk.com/attacker-drains-decentralized-protocol- [135] W. Foxley, “Exploit during ethdenver reveals experimental nature
dforce-of-25m-in-weekend-attack of decentralized finance,” CoinDesk, 2020. [Online]. Available:
https://www.coindesk.com/exploit-during-ethdenver-reveals-experime
[112] Tokenlon, “imbtc,” 2020. [Online]. Available: https://tokenlon.im/im
ntal-nature-of-decentralized-finance
BTC#/
[136] P. Baker, “Defi project bzx exploited for second time in a
[113] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making week, loses $630k in ether,” CoinDesk, 2020. [Online]. Available:
smart contracts smarter,” in Proceedings of the 2016 ACM SIGSAC https://www.coindesk.com/defi-project-bzx-exploited-for-second-
conference on computer and communications security, 2016, pp. 254– time-in-a-week-loses-630k-in-ether
269. [137] T. Cooper, “imbtc uniswap pool drained for ∼$300k in eth,” 2020,
[114] C. F. Torres, J. Schütte, and R. State, “Osiris: Hunting for integer accessed: 20-01-2021. [Online]. Available: https://defirate.com/imbtc-
bugs in ethereum smart contracts,” in Proceedings of the 34th Annual uniswap-hack/
Computer Security Applications Conference, ser. ACSAC ’18. New [138] A. Tarasov, “Millions lost: The top 19 defi cryptocurrency hacks
York, NY, USA: Association for Computing Machinery, 2018, p. of 2020,” 2020. [Online]. Available: https://cryptobriefing.com/50-
664–676. [Online]. Available: https://doi.org/10.1145/3274694.327473 million-lost-the-top-19-defi-cryptocurrency-hacks-2020/
7 [139] 1inch, “Balancer pool with sta deflationary token incident,” 2020.
[115] S. Kalra, S. Goel, M. Dhawan, and S. Sharma, “ZEUS: analyzing [Online]. Available: https://1inch-exchange.medium.com/balancer-
safety of smart contracts,” in 25th Annual Network and Distributed hack-2020-a8f7131c980e
System Security Symposium, NDSS 2018, San Diego, California, [140] C. Harper, “Defi degens hit hard by eminence exploit will
USA, February 18-21, 2018. The Internet Society, 2018. [Online]. be partially compensated,” CoinDesk, 2020. [Online]. Available:
Available: http://wp.internetsociety.org/ndss/wp-content/uploads/sites/ https://www.coindesk.com/eminence-exploit-defi-compensated
25/2018/02/ndss2018 09-1 Kalra paper.pdf [141] Percent Finance, “Important announcement,” 2020. [Online]. Available:
[116] E. Foundation, “Solidity v0.8.0 documentation,” 2020, accessed: https://percent-finance.medium.com/important-announcement-d35f9a
12-01-2020. [Online]. Available: https://docs.soliditylang.org/en/v0.8. 0df112
0/index.html [142] B. Pirus, “Cheese bank’s multi-million-dollar hack explained by
[117] YAM, “Yam finance,” 2020. [Online]. Available: https://yam.finance/ security firm,” 2020, accessed: 29-12-2020. [Online]. Available:
[118] T. Claburn, “Single-line software bug causes fledgling yam https://cointelegraph.com/news/cheese-bank-s-multi-million-dollar-
cryptocurrency to implode just two days after launch,” 2020. hack-explained-by-security-firm
[Online]. Available: https://www.theregister.com/2020/08/13/yam cry [143] PeckShield, “88mph incident: Root cause analysis,” 2020. [Online].
ptocurrency bug governance/ Available: https://peckshield.medium.com/88mph-incident-root-cause-
[119] CertiK, “Yam finance smart contract bug analysis & future prevention,” analysis-ce477e00a74d
2020. [Online]. Available: https://certik.io/blog/technology/yam- [144] P. Thompson, “Defi project pickle finance exploited for $20 million,”
finance-smart-contract-bug-analysis-future-prevention 2020. [Online]. Available: https://coingeek.com/defi-project-pickle-
[120] YAM Finance, “Yam post-rescue attempt update,” 2020. [Online]. finance-exploited-for-20-million/
Available: https://medium.com/@yamfinance/yam-post-rescue-attemp [145] W. Foxley, “$10.8m stolen, developers implicated in alleged
t-update-c9c90c05953f smart contract ‘rug pull’,” CoinDesk, 2020. [Online]. Available:
[121] bZx Network, “bZx, The most powerful open finance protocol,” 2020. https://www.coindesk.com/compounder- developers- implicated-
[Online]. Available: https://bzx.network/ alleged-smart-contract-rug-pull
[146] T. Roughgarden, “Algorithmic game theory,” Communications of the
[122] PeckShield, “bzx hack full disclosure (with detailed profit analysis),”
ACM, vol. 53, no. 7, pp. 78–86, 2010.
2020. [Online]. Available: https://medium.com/@peckshield/bzx-hack-
full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc [147] J. C. Harsanyi, “Games with incomplete information played by
“bayesian” players, i–iii part i. the basic model,” Management science,
[123] opyn, “Opyn eth put exploit,” 2020. [Online]. Available: https:
vol. 14, no. 3, pp. 159–182, 1967.
//medium.com/opyn/opyn-eth-put-exploit-c5565c528ad2
[148] T. Roughgarden, “Transaction fee mechanism design for the ethereum
[124] L. Gudgeon, D. Perez, D. Harz, B. Livshits, and A. Gervais, “The blockchain: An economic analysis of eip-1559,” arXiv preprint
decentralized financial crisis,” in 2020 Crypto Valley Conference on arXiv:2012.00854, 2020.
Blockchain Technology (CVCBT), 2020, pp. 1–15. [149] H.-T. Kao, T. Chitra, R. Chiang, and J. Morrow, “An analysis of the
[125] LongForWisdom, “[urgent] flash loans and securing the maker market risk to participants in the compound protocol,” in Third Inter-
protocol,” 2020. [Online]. Available: https://forum.makerdao.com/t/u national Symposium on Foundations and Applications of Blockchains,
rgent-flash-loans-and-securing-the-maker-protocol/490 2020.
[126] Peckshield, “Value defi incident: Root cause analysis,” 2020, accessed: [150] A. Klages-Mundt and A. Minca, “(in) stability for the blockchain:
13-01-2021. [Online]. Available: https://peckshield.medium.com/value- Deleveraging spirals and stablecoin attacks,” arXiv preprint
defi-incident-root-cause-analysis-fbab71faf373 arXiv:1906.02152, 2019.
[127] Rekt, “Harvest finance - rekt,” 2020. [Online]. Available: https: [151] A. Klages-Mundt and A. Minca, “While stability lasts: A stochastic
//rekt.ghost.io/harvest-finance-rekt/ model of stablecoins,” arXiv preprint arXiv:2004.01304, 2020.
[128] ETH Tx Decoder, “Transaction analysis,” 2020, accessed: 13-01-2021. [152] E. Frangella, “Crypto black thursday: The good, the bad, and the ugly,”
[Online]. Available: https://ethtx.info/mainnet/0x9d093325272701d63 https://medium.com/aave/crypto-black-thursday-the-good-the-bad-
fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1 and-the-ugly-7f2acebf2b83, 2020, accessed: 20-01-2021.

18
[153] A. Judmayer, N. Stifter, A. Zamyatin, I. Tsabary, I. Eyal, P. Gazi, [169] K. Floersch, “Mev auction: Auctioning transaction ordering rights as
S. Meiklejohn, and E. Weippl, “Pay to win: Cheap, crowdfundable, a solution to miner extractable value,” 2020, accessed: 18-12-2020.
cross-chain algorithmic incentive manipulation attacks on pow [Online]. Available: https://ethresear.ch/t/mev-auction-auctioning-tran
cryptocurrencies,” Cryptology ePrint Archive, Report 2019/775, 2019. saction-ordering-rights-as-a-solution-to-miner-extractable-value/6788
[Online]. Available: https://eprint.iacr.org/2019/775 [170] E. Felten, “Front-running as a service,” 29 Jun. 2020. [Online].
[154] Blocknative, “Evidence of mempool manipulation on black Available: https://medium.com/offchainlabs/front- running- as- a-
thursday: Hammerbots, mempool compression, and spontaneous service-334c929c945a
stuck transactions,” 2020. [Online]. Available: https://www.blocknativ
[171] thegostep, “Flashbots: Frontrunning the mev crisis,” 2020, accessed:
e.com/blog/mempool-forensics
18-12-2020. [Online]. Available: https://ethresear.ch/t/flashbots-
[155] P. Baker, “Miners trick stablecoin protocol pegnet, turning 11
frontrunning-the-mev-crisis/8251
into almost 7m hoard,” CoinDesk, 2020. [Online]. Available:
https://www.coindesk.com/miners-trick-stablecoin-protocol-pegnet- [172] Flashbots, “Mev-geth,” 2020, accessed: 18-12-2020. [Online].
turning-11-into-almost-7m-hoard Available: https://github.com/flashbots/mev-geth
[156] M. Carlsten, H. Kalodner, S. M. Weinberg, and A. Narayanan, “On [173] D. Harz and W. Knottenbelt, “Towards safer smart contracts:
the instability of bitcoin without the block reward,” in Proceedings of A survey of languages and verification methods,” arXiv preprint
the 2016 ACM SIGSAC Conference on Computer and Communications arXiv:1809.09805, 2018.
Security, 2016, pp. 154–167. [174] A. Permenev, D. Dimitrov, P. Tsankov, D. Drachsler-Cohen, and
[157] D. Rate, “Cream finance partially delists ftt amidst governance M. Vechev, “Verx: Safety verification of smart contracts,” in 2020 IEEE
contention,” 2021. [Online]. Available: https://defirate.com/cream-ftt- Symposium on Security and Privacy, SP, 2020, pp. 18–20.
delisting/ [176] J. Feist, “Slither – a solidity static analysis framework,” 2018.
[158] A. Klages-Mundt, “Vulnerabilities in maker: oracle-governance [Online]. Available: https://blog.trailofbits.com/2018/10/19/slither-a-
attacks, attack daos, and (de)centralization,” Nov. 14, 2019. [Online]. solidity-static-analysis-framework/
Available: https://link.medium.com/VZG64fhmr6 [177] D. Annenkov and B. Spitters, “Towards a smart contract verification
[159] Y. Khatri, “Dai price increase led to a massive $88 million worth of framework in coq,” arXiv preprint arXiv:1907.10674, 2019.
liquidations at defi protocol compound,” 2020, accessed: 14-01-2021.
[Online]. Available: https://www.theblockcrypto.com/post/85850/dai- [178] X. Chen, D. Park, and G. Roşu, “A language-independent approach to
compound-dydx-liquidations-defi smart contract verification,” in International Symposium on Leveraging
[160] Compound, “Open price feed,” 2020, accessed: 06-12-2020. [Online]. Applications of Formal Methods. Springer, 2018, pp. 405–413.
Available: https://compound.finance/prices [179] ConsenSys, “Mythril,” 2021. [Online]. Available: https://github.com/C
[161] F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi, “Town crier: onsenSys/mythril
An authenticated data feed for smart contracts,” in Proceedings of [180] AAVE, “Aave,” 2020. [Online]. Available: https://aave.com/
the 2016 aCM sIGSAC conference on computer and communications [181] D. Harz, L. Gudgeon, A. Gervais, and W. J. Knottenbelt, “Balance:
security, 2016, pp. 270–282. Dynamic adjustment of cryptocurrency deposits,” in Proceedings of
[162] S. Ellis, A. Juels, and S. Nazarov, “A decentralized oracle network,” the 2019 ACM SIGSAC Conference on Computer and Communications
2017. Security, 2019, pp. 1485–1502.
[163] A. Thurman, “Value defi protocol suffers $6 million flash loan exploit,”
2020, accessed: 29-12-2020. [Online]. Available: https://cointelegrap [182] D. Harz, L. Gudgeon, R. Khalil, and A. Zamyatin, “Promise: Leverag-
h.com/news/value-defi-protocol-suffers-6-million-flash-loan-exploit ing future gains for collateral reduction.” IACR Cryptol. ePrint Arch.,
[164] M. Nadler and F. Schär, “Decentralized finance, centralized ownership? vol. 2020, p. 532, 2020.
an iterative mapping process to measure protocol token distribution,” [183] V. Buterin, “Explanation of daicos,” 2018. [Online]. Available:
arXiv preprint arXiv:2012.09306, 2020. https://ethresear.ch/t/explanation-of-daicos/465
[165] OpenCollective, “cadcad,” 2020. [Online]. Available: https://cadcad.o [184] S. Panja and B. K. Roy, “A secure end-to-end verifiable e-voting system
rg/ using zero knowledge based blockchain.” IACR Cryptol. ePrint Arch.,
[166] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is vul- vol. 2018, p. 466, 2018.
nerable,” in Financial Cryptography and Data Security, N. Christin and [185] Y. Wang and A. Kogan, “Designing confidentiality-preserving
R. Safavi-Naini, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, blockchain-based transaction processing systems,” International Jour-
2014, pp. 436–454. nal of Accounting Information Systems, vol. 30, pp. 1–18, 2018.
[167] S. M. Werner and D. Perez, “Poolsim: A discrete-event mining pool
simulation framework,” in Mathematical Research for Blockchain [186] R. K. Raman, R. Vaculin, M. Hind, S. L. Remy, E. K. Pissadaki, N. K.
Economy, P. Pardalos, I. Kotsireas, Y. Guo, and W. Knottenbelt, Eds. Bore, R. Daneshvar, B. Srivastava, and K. R. Varshney, “Trusted multi-
Cham: Springer International Publishing, 2020, pp. 167–182. party computation and verifiable simulations: A scalable blockchain
[168] A. Cornje, “Keep3r network,” 22 Oct. 2020. [Online]. Available: approach,” arXiv preprint arXiv:1809.08438, 2018.
https://andrecronje.medium.com/keep3r-network-ba5af26c1f24 [187] F. Benhamouda, S. Halevi, and T. Halevi, “Supporting private data on
[175] Consensys, “Mythx: Smart contract security service for ethereum,” hyperledger fabric with secure multiparty computation,” IBM Journal
2021. [Online]. Available: https://mythx.io/ of Research and Development, vol. 63, no. 2/3, pp. 3–1, 2019.

19