defi security instructors: dan boneh, arthur gervais
TRANSCRIPT
![Page 1: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/1.jpg)
Decentralized Finance
Instructors: Dan Boneh, Arthur Gervais, Andrew Miller, Christine Parlour, Dawn Song
DeFi Security
![Page 2: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/2.jpg)
DeFi Security Affects Multiple Layer
Network Layer
Blockchain Layer
Smart contract Layer
DeFi Protocol + Application Layer
Third party Layer
Network Services
DNS, IP, BGP
Network Protocols
P2P overlay, Peer discovery, Data propagation
Consensus
Proof-of-Work, Proof-of-Stake
Incentive Protocol
Block reward, MEV reward, TX fee
Data
Block, Transaction, Contract
Virtual Machine
Contract execution, State transition
Asset
Fungible, Non-Fungible
Atomic Composable DeFi
Exchange, Loan, Mixer, Liquidity incentive
UI
Wallet, Website, APIs
Other
Oracle data feed, Centralized governance
I can attack any layer!
2
![Page 3: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/3.jpg)
Network Layer Security
https://defi-learning.org
![Page 4: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/4.jpg)
Network Layer
4
▪ Why Network Layer?▪ Information dissemination and propagation.
▪ Latency matters!
▪ How many nodes?▪ Bitcoin: about 10’000 reachable full nodes (TCP/8333)
▪ Ethereum:
▪ Dogecoin:
▪ What type of nodes exist?▪ Full nodes
▪ Light nodes
![Page 5: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/5.jpg)
Exchange Transaction Propagation
5
![Page 6: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/6.jpg)
Exchange Transaction Propagation
6
![Page 7: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/7.jpg)
Exchange Transaction Propagation
7
![Page 8: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/8.jpg)
Exchange Transaction Propagation
8
![Page 9: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/9.jpg)
Network Layer – Spy Node
9
![Page 10: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/10.jpg)
Network Layer – Spy Node
10
![Page 11: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/11.jpg)
Front-running
11
![Page 12: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/12.jpg)
Back-running
12
![Page 13: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/13.jpg)
Eclipse Attacks
https://defi-learning.org
![Page 14: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/14.jpg)
Eclipse attacksHeilman et al., Usenix ’15
Denial of serviceDouble spending
Eclipse Attacks
14
![Page 15: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/15.jpg)
Request timeouts
15
Block timeout: 20 minutesTransaction timeout: 2 minutes
Victim
![Page 16: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/16.jpg)
Security Implications
▪ Adversary▪ Blinds victim from blocks and transaction > 20 min
▪ Experimental validation
▪ Impact▪ Double spend transactions
▪ Aggravated selfish mining
▪ Network wide Denial of Service
▪ Mitigations▪ Hardening measures
▪ Estimate waiting time for secure transactions 16
![Page 17: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/17.jpg)
1. Must be first peer to advertise Transaction/Block
Eclipse Requirements
17
Ok,new Hash,I wait
2. Victim should wait• Block timeout: 20 minutes• Transaction timeout: 2 minutes
![Page 18: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/18.jpg)
Being First on the Network Layer
18
Zurich
California
Frankfurt
Singapore
Hash
Hash
Hash
Hash
Bitcoin Network
Connections of Adversary 40 80 200 800Connections of Victim 40 40 40 40
Average success in being first 0.44±0.14
0.57±0.20
0.80±0.14
0.89±0.07
![Page 19: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/19.jpg)
FIFO queue
Network Layer Timeouts
19
▪ Transactions▪ After 2 minutes request from other peer (FIFO)
▪ Blocks (older Bitcoin version)▪ After 20 minutes disconnect and do nothing
▪ If received header, disconnect and request block from another peer
![Page 20: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/20.jpg)
Blockchain Layer Security
https://defi-learning.org
![Page 21: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/21.jpg)
Why Blockchain Layer?
▪ Double-Spending
▪ Selfish Mining
▪ Undercutting
▪ Bribery
21
![Page 22: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/22.jpg)
Double-Spending
22
![Page 23: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/23.jpg)
Increasing Mining Advantage with an Eclipse
▪ Idea from Eyal et. al:▪ Instead of publishing, keep a block private
▪ Other miners will perform wasteful computations
: hashing power of adversary
: propagation parameter 23
![Page 24: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/24.jpg)
Increasing Mining Advantage with an Eclipse
P: probability to eclipse a block to a miner 24
![Page 25: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/25.jpg)
Increasing Mining Advantage with an Eclipse
25
![Page 26: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/26.jpg)
Smart Contract Layer Security
https://defi-learning.org
![Page 27: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/27.jpg)
Smart Contract Layer
contract Wallet { uint balance = 10;
function withdraw(){ if(balance > 0) msg.sender.call.value(balance)(); balance = 0;} }
Transfer $$$ to the caller
▪ Programs that handle money▪ Executed on a blockchain, written in a high-level
language, compiled to VM code
▪ No patching after release
▪ What can go wrong?27
![Page 28: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/28.jpg)
The DAO attack
28
![Page 29: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/29.jpg)
Security Bug #1: Reentrancy
Wallet Contract
uint balance = 10;
function withdraw(){ if(balance > 0) msg.sender.call.value(balance)(); balance = 0;}
User Contract
function moveBalance() { wallet.withdraw();}...
withdraw()
function () payable { // log payment}
withdraw()
no transfer
Can the user contract withdraw more than 10 ether?
calls the default “payable” function
balance is zeroed after ether transfer
Later…
10 ether
29
![Page 30: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/30.jpg)
Wallet Contract
uint balance = 10;
function withdraw(){ if(balance > 0) msg.sender.call.value(balance)(); balance = 0;}
User Contract
function moveBalance() { wallet.withdraw();}...function () payable { wallet.withdraw();}
An adversary stole 3.6M Ether !
balance is zeroed after ether transfer
Calls withdraw() before balance is set to 0
Security Bug #1: Reentrancy
30
![Page 31: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/31.jpg)
address owner = ...;
function initWallet(address _owner) { owner = _owner;}
function withdraw(uint amount) { if (msg.sender == owner) { owner.send(amount); }}
Wallet Contract
Any user may change the wallet’s owner
Only owner can send ether
An attacker used a similar bug to steal $32M
Security Bug #2: Unprivileged write to storage
31
![Page 32: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/32.jpg)
Smart Contract Bug Exercise 1
32
contract Example { address public owner; string private mySecret; constructor { owner = msg.sender; } function setSecret(string _secret) public { require(msg.sender == owner); mySecret = _secret; } function getSecret() public returns (string) { require(msg.sender == owner); return mySecret; }}
Any variable is readable on the public Ethereum blockchain.
Declaring a variable private only restricts the automatic creation of getter for that variable, but does
not hide it.
Hint: who would be able to read mySecret?
![Page 33: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/33.jpg)
Smart Contract Bug Exercise 2
33
contract Vulnerable { mapping(address => bool) authorized; mapping(address => uint) balances; function refund(uint amount) public { require(authorized[msg.sender]); require(amount <= balances[msg.sender]); msg.sender.call.value(amount)(""); balances[msg.sender] -= amount; }}
The code is vulnerable to a reentrancy attack.
The balance of the msg.sender is only updated after a transfer is made. If the msg.sender is a contract and has a fallback
function that calls into the contract again, the msg.sender can deplete
the contract of the funds.
Hint: who can be msg.sender?
![Page 34: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/34.jpg)
Smart Contract Bug Exercise 2
34
contract Vulnerable { … // vulnerable as the previous example}
contract Exploit { Vulnerable v; function register(address contract) public { v = Vulnerable(contract); } function exploit() public { // your code here } // your code here}
Hint: check the previous example
![Page 35: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/35.jpg)
Smart Contract Bug Exercise 2 - Solution
35
contract Vulnerable { … // vulnerable as the previous example}
contract Exploit { Vulnerable v; function register(address contract) public { v = Vulnerable(contract); } function exploit() public { v.refund(1); } function () public { v.refund(1); }}
![Page 36: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/36.jpg)
Reentrant method calls (e.g., DAO bug)
Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug)
Unexpected ether flows
Use of unsafe inputs (e.g., reflection, hashing, …)
More smart contract security bugs
36
![Page 37: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/37.jpg)
More smart contract security bugs
37https://consensys.github.io/smart-contract-best-practices/known_attacks/
![Page 38: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/38.jpg)
All possible contract behaviors Security
Bugs
Problem: Cannot enumerate all possible contract behaviors…
Automated security analysis
38
![Page 39: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/39.jpg)
Testing Dynamic analysisSymbolic execution
Static analysisFormal verification
Easy to implement, butvery limited guarantees
Better than testing, butcan still miss vulnerabilities
Strong guarantees, but manyfalse positives
Automated security analysis – Existing solutions
39
![Page 40: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/40.jpg)
DeFi Flash Loan „Attacks“
https://defi-learning.org
![Page 41: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/41.jpg)
+
Flash Loan Attacks
41
![Page 42: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/42.jpg)
Input: 130 USD gasOutput: 350,000 USDOptimal: 830,000 USD
bZx - Pump and Arbitrage Attack – February 2020
42
![Page 43: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/43.jpg)
bZx7,500 ETH Adversary
7,500 ETH
bZx – Oracle manipulation – February 2020
43
![Page 44: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/44.jpg)
bZx
Adversary
6,960 ETH92,419.70 sUSD
Uniswap
879.76 ETH243,441.12 sUSD
1,419.76 ETH151,021.42 sUSD
540 ETH
92,419.70 sUSD
Exchange rate: (step 2) 171.15 sUSD/ETH
bZx – Oracle manipulation – February 2020
44
![Page 45: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/45.jpg)
bZx
Adversary
6,960 ETH92,419.70 sUSD
Uniswap
1,419.76 ETH151,021.42 sUSD
Price:106.05 sUSD/ETH
540 ETH
92,419.70 sUSD
Exchange rate: (step 2) 171.15 sUSD/ETH
bZx – Oracle manipulation – February 2020
45
![Page 46: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/46.jpg)
46
bZx
Adversary
6,600 ETH156,003.79 sUSD
Uniswap
1,419.76 ETH151,021.42 sUSD
Price:106.05 sUSD/ETH
Kyber Reserve
0.91 ETH107,901.90 sUSD
360.91 ETH44,317.80 sUSD
360 ETH
63,584.09 sUSD
Exchange rate: (step 2) 171.15 sUSD/ETH; (step 3) 176.62 sUSD/ETH
bZx – Oracle manipulation – February 2020
![Page 47: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/47.jpg)
47
bZx
Adversary
6,600 ETH156,003.79 sUSD
Uniswap
1,419.76 ETH151,021.42 sUSD
Price:106.05 sUSD/ETH
Kyber Reserve
360.91 ETH44,317.80 sUSD
Price:108.44 sUSD/ETH
360 ETH
63,584.09 sUSD
Exchange rate: (step 2) 171.15 sUSD/ETH; (step 3) 176.62 sUSD/ETH
bZx – Oracle manipulation – February 2020
![Page 48: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/48.jpg)
48
bZx
Adversary
3,082.14 ETH1,099,841.39 sUSD
Uniswap
1,419.76 ETH151,021.42 sUSD
Price:106.05 sUSD/ETH
Kyber Reserve
360.91 ETH44,317.80 sUSD
Price:108.44 sUSD/ETH
Synthetix3,517.86 ETH
943,837.59 sUSD
Exchange rate: (step 2) 171.15 sUSD/ETH; (step 3) 176.62 sUSD/ETH; (step 4) 268.30 sUSD/ETH
bZx – Oracle manipulation – February 2020
![Page 49: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/49.jpg)
49
bZxAdversary
9,881.41 ETH
Uniswap
1,419.76 ETH151,021.42 sUSD
Price:106.05 sUSD/ETH
Kyber Reserve
360.91 ETH44,317.80 sUSD
Price:108.44 sUSD/ETH
Synthetix
1,099,841.39sUSD
6,799.27ETH
bZx – Oracle manipulation – February 2020
![Page 50: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/50.jpg)
Constrained Optimization Framework
50
![Page 51: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/51.jpg)
Optimizing the bZx attack 2
▪ Borrow 𝑋 ETH (bZx flash loan)▪ Convert 𝑝1 ETH to 𝑓1(𝑝1) sUSD (Uniswap)
▪ Convert 𝑝2 ETH to 𝑓2(𝑝2) sUSD (Kyber)
▪ Deposit 𝑝3 ETH for 𝑓3(𝑝3) sUSD (Synthetix)
▪ Collateralize 𝑧 sUSD to borrow 𝑔(𝑧) ETH
▪ z=𝑓1(𝑝1)+𝑓2(𝑝2)+𝑓3(𝑝3)
▪ Repay 𝑋 ETH (bZx flash loan)
▪ Objective: 𝑜=𝑔(𝑓1(𝑝1)+𝑓2(𝑝2)+𝑓3(𝑝3))−𝑋▪ s.t. 𝑝1+𝑝2+𝑝3<𝑋 51
![Page 52: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/52.jpg)
Optimizing the bZx attack 2
▪ Sequential Least Squares Programming (SLSQP)▪ SciPy
▪ Ubuntu 18.04.2, 16 CPU cores, 32 GB RAM
▪ Validation by concrete execution▪ Execution on the real blockchain state
52
![Page 53: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/53.jpg)
Sandwich Attacks
https://defi-learning.org
![Page 54: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/54.jpg)
Asset Xquantity
Asset Yquantity
constant
AMM – Automated Market Maker
54
![Page 55: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/55.jpg)
Sandwich Attack
55
![Page 56: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/56.jpg)
AMM – Constant product formula
56
![Page 57: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/57.jpg)
AMM – Constant product formula
57
![Page 58: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/58.jpg)
Expected Slippage
58
The expected increase or decrease in price based on the trading volume and available liquidity.
![Page 59: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/59.jpg)
Unexpected Slippage -> Worse Execution Price
59
![Page 60: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/60.jpg)
Unexpected Slippage -> Better Execution Price
60
![Page 61: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/61.jpg)
Slippage Protection
61
Configures a slippage protection threshold to prevent unacceptable slippage
![Page 62: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/62.jpg)
Slippage Protection
62
Transaction fails when crossing the slippage limit.
![Page 63: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/63.jpg)
Sandwich Attack Against Taker
63
Idea: Maximise the victim’s slippage
![Page 64: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/64.jpg)
Network layer + DeFi protocol layer
64
![Page 65: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/65.jpg)
Sandwich attack profitability
65
![Page 66: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/66.jpg)
Multiple Adversaries
66
Break-even of the attacker becomes harder to attain
![Page 67: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/67.jpg)
Advanced Sandwich Attack
67
![Page 68: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/68.jpg)
Blockchain Extractable Value
https://defi-learning.org
![Page 69: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/69.jpg)
What is Blockchain (or Miner) Extractable Value?
69
Price of collateral drops below health factor
Liquidation!
Who will liquidate?
![Page 70: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/70.jpg)
How much MEV?
70
![Page 71: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/71.jpg)
How much MEV? – Sandwich Attacks
71
![Page 72: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/72.jpg)
How much MEV? – Liquidations
72
![Page 73: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/73.jpg)
How much MEV? – Arbitrage
73
![Page 74: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/74.jpg)
Transaction Replay Attacks
https://defi-learning.org
![Page 75: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/75.jpg)
Generalized Front-Running
75
▪ “Copy Cat” or “Replay”▪ Observe transaction on the network layer
▪ Replace certain data, sign, and broadcast copy
▪ Potential Profit▪ 35M USD over 32 months
▪ 188,365 profitable transactions (0.02%)
▪ Real-time algorithm (0.18s ± 0.29)
![Page 76: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/76.jpg)
Generalized Front-Running Algorithm & Results
76
![Page 77: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/77.jpg)
BEV Forking and Chain Reorganisation
https://defi-learning.org
![Page 78: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/78.jpg)
The dangers of naively maximizing MEV
B1
B2
C2
MEV
MEV
Malicious Miner
Honest Miner
78
![Page 79: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/79.jpg)
The dangers of naively maximizing MEV
B1
B2
C2
MEV
MEV
🤔
B3Honest Miner
Malicious Miner
79
![Page 80: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/80.jpg)
The dangers of naively maximizing MEV
B1
B2
C3
MEV
B3
Malicious Miner
Honest Miner
Case 1:
Case 1:
Malicious miner forfeits MEV opportunity
80
![Page 81: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/81.jpg)
The dangers of naively maximizing MEV
B1
B2
C2
MEV
MEV
B3Honest Miner
Malicious Miner
Case 2:
Case 1:
Malicious miner forfeits MEV opportunity
Case 2:
Keeps mining block C2
81
![Page 82: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/82.jpg)
The dangers of naively maximizing MEV
B1
B2
C2
MEV
MEV
Case 2:
Case 1:
Malicious miner forfeits MEV opportunity
Case 2:
Keeps mining block C2C3
82
![Page 83: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/83.jpg)
The dangers of naively maximizing MEV
B1
B2
C2
MEV
MEV
B4
Honest Miner
Malicious Miner
Case 2:
Case 1:
Malicious miner forfeits MEV opportunity
Case 2:
Keeps mining on block C2
→ Waste computational power → Increase stale block rates and risks for:
● Double spending● Selfish mining
C3 C4
83
![Page 84: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/84.jpg)
Markov Decision Process (MDP)
84
Proof of WorkBlockchain
Consensus Layer Parameters
Network Layer Parameters
Parameter Stale Block RateMarkov Decision Process
Attacks
![Page 85: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/85.jpg)
Markov Decision Process (MDP)
85
B0
B1
State: (3, 1)
TX pays vendor
Honest chain
Attacker chain
Override Action
TX pays adversary
+ double-spendin
g value
85
![Page 86: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/86.jpg)
Reducing MEV is the key to security (example)
+ ==
10% miner
MEV, 4x average block reward
“On the just-in-time discovery of profit-generating transactions in defi protocols.” peer-reviewed at S&P’2186
![Page 87: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/87.jpg)
Reducing MEV is the key to security (example)
874x
��87
![Page 88: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/88.jpg)
BEV Relayer & How to Mitigate BEV?
https://defi-learning.org
![Page 89: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/89.jpg)
BEV Relay Architecture
89
![Page 90: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/90.jpg)
BEV Relayer Concerns
90
▪ BEV provably incentivises miners to fork (cf. S&P’21)
▪ BEV relayer centralise the P2P Network
▪ The relayer may resell/profit from searcher strategies
▪ The relay system doesn’t necessarily reduce P2P overhead
▪ A for profit company distributes the geth client to >50% of the miners
▪ Innocent users are being stolen from systematically
![Page 91: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/91.jpg)
Anti-MEV Solution Space
91
▪ Fair-Ordering on the Blockchain Layer▪ e.g., Aequitas Protocol Family
▪ Fixing MEV of existing dApps▪ Merging AMM DEX into one▪ On-chain aggregators such as A2MM (see DEX lecture)
▪ Designing MEV-Mindful dApps▪ Avoiding MEV by design
▪ e.g., a price oracle update immediate performs a liquidation
▪ Might not fix cross-chain MEV..
![Page 92: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/92.jpg)
Application-Specific MEV Mitigation
92
Swap X for Y
Price of X declines
Market X, Y
Market X, Y
Swap X for Y
Swap Y for X
▪ Causes▪ Back-run Flooding
▪ Network Congestions
▪ Price Gas Auctions
▪ Transaction Fee Increase
▪ The user forgoes an arbitrage opportunity.
![Page 93: DeFi Security Instructors: Dan Boneh, Arthur Gervais](https://reader030.vdocuments.site/reader030/viewer/2022032610/6238d4e6ac42b64b775c59f4/html5/thumbnails/93.jpg)
Application-Specific MEV Mitigation
93
Market X, Y
Market X, Y
Swap X for Y
Swap X for Y
Swap X for Y
��
OptimalRouting +Arbitrage
▪ Cons▪ Higher Gas Fees
▪ Pros▪ Better ex rate
▪ Arbitrage profit
▪ MEV reduction
▪ Healthier chain