DeFiWarder: Protecting DeFi Apps from Token Leaking VulnerabilitiesRecorded talk
Decentralized Finance (DeFi) apps have rapidly proliferated with the development of blockchain and smart contracts, whose maximum total value locked (TVL) has exceeded 100 billion dollars in the past few years. These apps allow users to interact and perform complicated financial activities. However, the vulnerabilities hiding in the smart contracts of DeFi apps have resulted in numerous security incidents, with most of them leading to funds (tokens) leaking and resulting in severe financial loss. In this paper, we summarize Token Leaking vulnerability of DeFi apps, which enable someone to abnormally withdraw funds that far exceed their deposits. Due to the massive amount of funds in DeFi apps, it is crucial to protect DeFi apps from Token Leaking vulnerabilities. Unfortunately, existing tools have limitations in addressing this vulnerability.
To address this issue, we propose DeFiWarder, a tool that traces on-chain transactions and protects DeFi apps from Token Leaking vulnerabilities. Specifically, DeFiWarder first records the execution logs (traces) of smart contracts. It then accurately recovers token transfers within transactions to catch the funds flow between users and DeFi apps, as well as the relations between users based on role mining. Finally, DeFiWarder utilizes anomaly detection to reveal Token Leaking vulnerabilities and related attack behaviors. We conducted experiments to demonstrate the effectiveness and efficiency of DeFiWarder. Specifically, DeFiWarder successfully revealed 25 Token Leaking vulnerabilities from 30 Defi apps. Moreover, its efficiency supports real-time detection of token leaking within on-chain transactions. In addition, we summarize five major reasons for Token Leaking vulnerability to assist DeFi apps in protecting their funds.
Thu 14 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
15:30 - 17:00 | Vulnerability and Security 2Journal-first Papers / Industry Showcase (Papers) / Research Papers at Room E Chair(s): Ben Hermann TU Dortmund | ||
15:30 12mTalk | An Industrial Practice for Securing Android Apps in the Banking Domain Industry Showcase (Papers) Vikas K. Malviya Singapore Management University, Phong Phan i-Sprint Innovations Pte. Ltd, Yan Naing Tun Singapore Management University, Albert Ching i-Sprint Innovations Pte. Ltd, Lwin Khin Shar Singapore Management University File Attached | ||
15:42 12mTalk | Combatting Front-Running in Smart Contracts: Attack Mining, Benchmark Construction and Vulnerability Detector Evaluation Journal-first Papers Wuqi Zhang The Hong Kong University of Science and Technology, Lili Wei McGill University, Shing-Chi Cheung Hong Kong University of Science and Technology, Yepang Liu Southern University of Science and Technology, Shuqing Li The Chinese University of Hong Kong, Lu Liu The Hong Kong University of Science and Technology, Michael Lyu The Chinese University of Hong Kong Link to publication DOI Pre-print File Attached | ||
15:54 12mTalk | Software Engineering Using Autonomous Agents: Are We There Yet?Recorded talk Industry Showcase (Papers) Samdyuti Suri Accenture Tech Labs, Sankar Narayan Das Accenture Tech Labs, Kapil Singi Accenture, Kuntal Dey Accenture Labs, India, Vibhu Saujanya Sharma Accenture Labs, Vikrant Kaulgud Accenture Labs, India Media Attached | ||
16:06 12mTalk | DeFiWarder: Protecting DeFi Apps from Token Leaking VulnerabilitiesRecorded talk Research Papers Jianzhong Su Sun Yat-sen University, Xingwei Lin Ant Group, Zhiyuan Fang Sun Yat-sen University, Zhirong Zhu Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Zibin Zheng Sun Yat-sen University, Wei Lv Ant Group, Jiashui Wang Zhejiang University Media Attached | ||
16:18 12mTalk | VD-Guard: DMA Guided Fuzzing for Hypervisor Virtual DeviceRecorded talk Research Papers Yuwei Liu Institute of Software, Chinese Academy of Sciences, Siqi Chen Shanghai Jiao Tong University, Yuchong Xie Shanghai Jiao Tong University, Yanhao Wang Qi An Xin Group Corp., Libo Chen Shanghai Jiao Tong University, Bin Wang Beijing Institute of Computer Technology and Applications, Yingming Zeng Beijing Institute of Computer Technology and Applications, Zhi Xue Shanghai Jiao Tong University, Purui Su Institute of Software/CAS China Media Attached File Attached | ||
16:30 12mTalk | Smart Prompt Advisor: Multi-objective Prompt Framework for Consistency and Best PracticesRecorded talk Industry Showcase (Papers) Kanchanjot Kaur Phokela Accenture, Samarth Sikand Accenture Labs, Kapil Singi Accenture, Kuntal Dey Accenture Labs, India, Vibhu Saujanya Sharma Accenture Labs, Vikrant Kaulgud Accenture Labs, India Media Attached |