Penetrating the Hostile: Detecting DeFi Protocol Exploits through Cross-Contract Analysis
Xiaoqi Li, Wenkai Li, Zhiquan Liu, Yuqing Zhang, Yingjie Mao
TL;DR
DeFiTail addresses the problem of detecting DeFi exploits by modeling attacker–victim interactions across contracts rather than focusing solely on individual contracts. It unifies external and internal paths, connects CFGs across contracts, and validates data-path feasibility with a symbolic execution stack, while leveraging a dual encoder that fuses sequence and graph features. Empirical results show high accuracy for access-control (≈98%) and flash-loan exploits (≈97%), and strong performance on CVE datasets (≈86.7%), demonstrating practical effectiveness across 25 EVM chains. The work offers a scalable, real-world capable framework that can detect cross-contract attack patterns and is complemented by open data and source code, enabling further exploration and deployment in DeFi security monitoring.
Abstract
Decentralized finance (DeFi) protocols are crypto projects developed on the blockchain to manage digital assets. Attacks on DeFi have been frequent and have resulted in losses exceeding $80 billion. Current tools detect and locate possible vulnerabilities in contracts by analyzing the state changes that may occur during malicious events. However, this victim-only approaches seldom possess the capability to cover the attacker's interaction intention logic. Furthermore, only a minuscule percentage of DeFi protocols experience attacks in real-world scenarios, which poses a significant challenge for these detection tools to demonstrate practical effectiveness. In this paper, we propose DeFiTail, the first framework that utilizes deep learning technology for access control and flash loan exploit detection. Through feeding the cross-contract static data flow, DeFiTail automatically learns the attack logic in real-world malicious events that occur on DeFi protocols, capturing the threat patterns between attacker and victim contracts. Since the DeFi protocol events involve interactions with multi-account transactions, the execution path with external and internal transactions requires to be unified. Moreover, to mitigate the impact of mistakes in Control Flow Graph (CFG) connections, DeFiTail validates the data path by employing the symbolic execution stack. Furthermore, we feed the data paths through our model to achieve the inspection of DeFi protocols. Comparative experiment results indicate that DeFiTail achieves the highest accuracy, with 98.39% in access control and 97.43% in flash loan exploits. DeFiTail also demonstrates an enhanced capability to detect malicious contracts, identifying 86.67% accuracy from the CVE dataset.