Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners?
The growth of the decentralized finance (DeFi) ecosystem built on blockchain technology and smart contracts has led to an increased demand for secure and reliable smart contract development. However, attacks targeting smart contracts are increasing, causing an estimated $6.45 billion in financial losses. Researchers have proposed various automated security tools to detect vulnerabilities, but their real-world impact remains uncertain.
In this paper, we aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks, and their overall usage within the industry. Our comprehensive study encompasses an evaluation of five SoTA automated security tools, an analysis of 127 high-impact real-world attacks resulting in $2.3 billion in losses, and a survey of 49 developers and auditors working in leading DeFi protocols. Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to $149 million out of the $2.3 billion in losses. Notably, all preventable attacks were related to reentrancy vulnerabilities. Furthermore, practitioners distinguish logic-related bugs and protocol layer vulnerabilities as significant threats that are not adequately addressed by existing security tools. Our results emphasize the need to develop specialized tools catering to the distinct demands and expectations of developers and auditors. Further, our study highlights the necessity for continuous advancements in security tools to effectively tackle the ever-evolving challenges confronting the DeFi ecosystem.
Wed 17 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Security 1Research Track / Journal-first Papers at Grande Auditório Chair(s): Letizia Jaccheri Norwegian University of Science and Technology (NTNU) | ||
14:00 15mTalk | Marco: A Stochastic Asynchronous Concolic Explorer Research Track Jie Hu University of California Riverside, Yue Duan Singapore Management University, Heng Yin UC Riverside Pre-print | ||
14:15 15mTalk | Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners? Research Track Stefanos Chaliasos Imperial College London, Marcos Antonios Charalambous Imperial College London, Liyi Zhou Imperial College London, Rafaila Galanopoulou University of Athens, Arthur Gervais Imperial College London, Dimitris Mitropoulos University of Athens, Ben Livshits Imperial College London | ||
14:30 15mTalk | DocFlow: Extracting Taint Specifications from Software Documentation Research Track Marcos Tileria Royal Holloway, University of London, Jorge Blasco Universidad Politécnica de Madrid, Santanu Dash University of Surrey | ||
14:45 15mTalk | Toward Improved Deep Learning-based Vulnerability Detection Research Track Adriana Sejfia University of Edinburgh, Satyaki Das University of Southern California, Saad Shafiq University of Southern California, Nenad Medvidović University of Southern California Pre-print | ||
15:00 15mTalk | Attention! Your Copied Data is Under Monitoring: A Systematic Study of Clipboard Usage in Android Apps Research Track Yongliang Chen City University of Hong Kong, Ruoqin Tang City University of Hong Kong, Chaoshun Zuo Ohio State University, Xiaokuan Zhang George Mason University, Lei Xue Sun Yat-Sen University, Xiapu Luo The Hong Kong Polytechnic University, Qingchuan Zhao City University of Hong Kong | ||
15:15 7mTalk | Evolution of Automated Weakness Detection in Ethereum Bytecode: a Comprehensive Study Journal-first Papers Monika di Angelo TU Wien, Thomas Durieux TU Delft, João F. Ferreira INESC-ID and IST, University of Lisbon, Gernot Salzer TU Wien Link to publication DOI Pre-print File Attached | ||