Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DeFiTail: DeFi Protocol Inspection through Cross-Contract Execution Analysis

Wenkai Li, Xiaoqi Li, Yuqing Zhang, Zongwei Li

TL;DR

DeFiTail tackles the difficulty of detecting multi-contract DeFi attacks by unifying external and internal execution paths at the code level, validating path feasibility with a symbolic execution stack, and learning from unified data paths $DP_\pi$ using a hybrid Transformer-GCN model. It introduces CFGs connection across contracts, data-path feasibility validation, and a fuse mechanism to combine sequence and graph features for robust detection of access-control and flash-loan exploits on EVM-compatible blockchains. Leveraging a dataset of 14,301 data paths from 3,216 hacked DeFi events, it reports state-of-the-art accuracies of 98.39% for access control, 97.43% for flash loans, and 86.67% on CVE detection, with ablation confirming the importance of CFG connection and data-path validation. The work advances practical DeFi protocol security by enabling bytecode-level inspection that generalizes across blockchains and supports open-source deployment.

Abstract

Decentralized finance (DeFi) protocols are crypto projects developed on the blockchain to manage digital assets. Attacks on DeFi have been frequent and have resulted in losses exceeding \$77 billion. However, detection methods for malicious DeFi events are still lacking. In this paper, we propose DeFiTail, the first framework that utilizes deep learning to detect access control and flash loan exploits that may occur on DeFi. Since the DeFi protocol events involve invocations with multi-account transactions, which requires execution path unification with different contracts. Moreover, to mitigate the impact of mistakes in Control Flow Graph (CFG) connections, we validate the data path by employing the symbolic execution stack. Furthermore, we feed the data paths through our model to achieve the inspection of DeFi protocols. Experimental results indicate that DeFiTail achieves the highest accuracy, with 98.39% in access control and 97.43% in flash loan exploits. DeFiTail also demonstrates an enhanced capability to detect malicious contracts, identifying 86.67% accuracy from the CVE dataset.

DeFiTail: DeFi Protocol Inspection through Cross-Contract Execution Analysis

TL;DR

DeFiTail tackles the difficulty of detecting multi-contract DeFi attacks by unifying external and internal execution paths at the code level, validating path feasibility with a symbolic execution stack, and learning from unified data paths using a hybrid Transformer-GCN model. It introduces CFGs connection across contracts, data-path feasibility validation, and a fuse mechanism to combine sequence and graph features for robust detection of access-control and flash-loan exploits on EVM-compatible blockchains. Leveraging a dataset of 14,301 data paths from 3,216 hacked DeFi events, it reports state-of-the-art accuracies of 98.39% for access control, 97.43% for flash loans, and 86.67% on CVE detection, with ablation confirming the importance of CFG connection and data-path validation. The work advances practical DeFi protocol security by enabling bytecode-level inspection that generalizes across blockchains and supports open-source deployment.

Abstract

Decentralized finance (DeFi) protocols are crypto projects developed on the blockchain to manage digital assets. Attacks on DeFi have been frequent and have resulted in losses exceeding \$77 billion. However, detection methods for malicious DeFi events are still lacking. In this paper, we propose DeFiTail, the first framework that utilizes deep learning to detect access control and flash loan exploits that may occur on DeFi. Since the DeFi protocol events involve invocations with multi-account transactions, which requires execution path unification with different contracts. Moreover, to mitigate the impact of mistakes in Control Flow Graph (CFG) connections, we validate the data path by employing the symbolic execution stack. Furthermore, we feed the data paths through our model to achieve the inspection of DeFi protocols. Experimental results indicate that DeFiTail achieves the highest accuracy, with 98.39% in access control and 97.43% in flash loan exploits. DeFiTail also demonstrates an enhanced capability to detect malicious contracts, identifying 86.67% accuracy from the CVE dataset.
Paper Structure (8 sections, 4 equations, 2 figures, 3 tables)

This paper contains 8 sections, 4 equations, 2 figures, 3 tables.

Table of Contents

  1. Introduction
  2. DeFiTail
  3. CFGs Connection
  4. Data Path Validation
  5. Model
  6. Experimental Evaluation
  7. Conclusion
  8. ACKNOWLEDGMENTS

Figures (2)

  • Figure 1: Overview of Framework. Above the dotted line is the training phase, and below the dotted line is the vulnerability prediction stage.
  • Figure 2: An Example of Symbolic Stack Execution. $\chi$ represents the placeholder of the calculation result.