Decentralized Finance (DeFi) services are usually constructed by composing a variety of smart contracts. While composability is a key driver of the success of DeFi, it also creates security risks: adversaries may exploit interactions between newly deployed contracts and the pre-existing ones to inflict economic losses. We introduce MEV non-interference, a formal security notion for DeFi composability requiring that the maximal extractable value from a set of newly deployed contracts is not increased by interactions with the existing blockchain state. To support this notion, we define local MEV, a novel measure of economic attacks that focusses on the loss of a given set of victim contracts. We study two adversarial models, with bounded and unbounded wealth, and establish sufficient conditions and locality principles that enable modular reasoning about secure composability. We apply the framework to representative DeFi compositions, including exchanges, AMMs, options, lending pools, routers, and arbitrage contracts, showing how it distinguishes secure compositions from vulnerable ones. Our results provide a formal foundation for reasoning about the economic security of DeFi composit
Decentralized finance (DeFi) protocols now intermediate over USD 100 billion in value, including regulated stablecoins and tokenized assets deployed as collateral, yet no widely adopted framework operationalizes risk assessment at the rigor institutional adoption demands. Existing approaches emphasize protocol-specific parameter optimization or conceptual taxonomies without providing explainable, composability-aware, and structurally independent assessment methodologies. We propose a nine-dimension DeFi risk assessment framework extending the six-dimension taxonomy introduced by Moody's Analytics and Gauntlet with three novel dimensions: composability risk, comprehension debt, and temporal risk dynamics. We additionally introduce a transparency confidence modifier separating assessment reliability from risk severity. The framework is grounded in structural analysis of protocol dependencies conducted through an ontology-based protocol intelligence infrastructure covering more than 8,000 DeFi protocols. We retrospectively analyze 12 major DeFi-related incidents from 2024-2026 representing approximately USD 2.5 billion in direct losses. Five of the 12 incidents require at least one no
Bitcoin's limited programmability and transaction throughput have historically prevented native Bitcoin from participating in decentralized finance (DeFi) applications. Existing solutions depend on honest-majority thresholds, or centralized custodial entities that introduce significant trust requirements. This paper introduces Bitcoin Smart Accounts (BSA), a novel protocol that enables native Bitcoin to access DeFi through trust-minimized infrastructure while maintaining self-custody of funds. BSA achieves this through a combination of emulated Bitcoin covenants using Partially Signed Bitcoin Transactions (PSBTs) and Taproot scripts, a Trusted Execution Environment (TEE)-based arbitration system, and destination chain smart contracts that enable DeFi platforms to accept self-custodial Bitcoin as collateral without necessitating protocol-level modifications. The setup leverages liquidity secured by the Lombard Security Consortium which provides a twofold advantage: for a DeFi protocol, liquidators rely on fungible assets with deep liquidity to quickly exit positions, while for a depositor, the general trust assumptions of honest majority (m-of-n) are reduced to existential honesty (
The Barron space has become famous in the theory of (shallow) neural networks because it seemingly defies the curse of dimensionality. And while the Barron space (and generalizations) indeed defies (defy) the curse of dimensionality from the POV of classical smoothness, we herein provide some evidence in favor of the idea that the Barron space (and generalizations) does (do) not defy the curse of dimensionality with a nonclassical notion of smoothness which relates naturally to "infinitely wide" shallow neural networks. Like how the Bessel potential spaces are defined via the Fourier transform, we define so-called ADZ spaces via the Mellin transform; these ADZ spaces encapsulate the nonclassical smoothness we alluded to earlier. 38 pages, will appear in the dissertation of the author
Decentralized Finance (DeFi) staking is one of the most prominent applications within the DeFi ecosystem, where DeFi projects enable users to stake tokens on the platform and reward participants with additional tokens. However, logical defects in DeFi staking could enable attackers to claim unwarranted rewards by manipulating reward amounts, repeatedly claiming rewards, or engaging in other malicious actions. To mitigate these threats, we conducted the first study focused on defining and detecting logical defects in DeFi staking. Through the analysis of 64 security incidents and 144 audit reports, we identified six distinct types of logical defects, each accompanied by detailed descriptions and code examples. Building on this empirical research, we developed SSR (Safeguarding Staking Reward), a static analysis tool designed to detect logical defects in DeFi staking contracts. SSR utilizes a large language model (LLM) to extract fundamental information about staking logic and constructs a DeFi staking model. It then identifies logical defects by analyzing the model and the associated semantic features. We constructed a ground truth dataset based on known security incidents and audit
Lending within decentralized finance (DeFi) has facilitated over \$100 billion of loans since 2020. A long-standing inefficiency in DeFi lending protocols such as Aave is the use of static pricing mechanisms for loans. These mechanisms have been shown to maximize neither welfare nor revenue for participants in DeFi lending protocols. Recently, adaptive supply models pioneered by Morpho and Euler have become a popular means of dynamic pricing for loans. This pricing is facilitated by agents known as curators, who bid to match supply and demand. We construct and analyze an online learning model for static and dynamic pricing models within DeFi lending. We show that when loans are small and have a short duration relative to an observation time $T$, adaptive supply models achieve $O(\log T)$ regret, while static models cannot achieve better than $Ω(\sqrt{T})$ regret. We then study competitive behavior between curators, demonstrating that adaptive supply mechanisms maximize revenue and welfare for both borrowers and lenders.
This work explores the formation and propagation of systemic risks across traditional finance (TradFi) and decentralized finance (DeFi), offering a comparative framework that bridges these two increasingly interconnected ecosystems. We propose a conceptual model for systemic risk formation in TradFi, grounded in well-established mechanisms such as leverage cycles, liquidity crises, and interconnected institutional exposures. Extending this analysis to DeFi, we identify unique structural and technological characteristics - such as composability, smart contract vulnerabilities, and algorithm-driven mechanisms - that shape the emergence and transmission of risks within decentralized systems. Through a conceptual mapping, we highlight risks with similar foundations (e.g., trading vulnerabilities, liquidity shocks), while emphasizing how these risks manifest and propagate differently due to the contrasting architectures of TradFi and DeFi. Furthermore, we introduce the concept of crosstagion, a bidirectional process where instability in DeFi can spill over into TradFi, and vice versa. We illustrate how disruptions such as liquidity crises, regulatory actions, or political developments c
In this paper, we propose an analytical method to compute the collateral liquidation probability in decentralized finance (DeFi) stablecoin single-collateral lending. Our approach models the collateral exchange rate as a zero-drift geometric Brownian motion, and derives the probability of it crossing the liquidation threshold. Unlike most existing methods that rely on computationally intensive simulations such as Monte Carlo, our formula provides a lightweight, exact solution. This advancement offers a more efficient alternative for risk assessment in DeFi platforms.
Smart contracts power decentralized financial (DeFi) services but are vulnerable to security exploits that can lead to significant financial losses. Existing security measures often fail to adequately protect these contracts due to the composability of DeFi protocols and the increasing sophistication of attacks. Through a large-scale empirical study of historical transactions from the 37 hacked DeFi protocols, we discovered that while benign transactions typically exhibit a limited number of unique control flows, in stark contrast, attack transactions consistently introduce novel, previously unobserved control flows. Building on these insights, we developed CrossGuard, a novel framework that enforces control flow integrity onchain to secure smart contracts. Crucially, CrossGuard does not require prior knowledge of specific hacks. Instead, configured only once at deployment, it enforces control flow whitelisting policies and applies simplification heuristics at runtime. This approach monitors and prevents potential attacks by reverting all transactions that do not adhere to the established control flow whitelisting rules. Our evaluation demonstrates that CrossGuard effectively block
DeFi (Decentralized Finance) is one of the most important applications of today's cryptocurrencies and smart contracts. It manages hundreds of billions in Total Value Locked (TVL) on-chain, yet it remains susceptible to common DeFi price manipulation attacks. Despite state-of-the-art (SOTA) systems like DeFiRanger and DeFort, we found that they are less effective to non-standard price models in custom DeFi protocols, which account for 44.2% of the 95 DeFi price manipulation attacks reported over the past three years. In this paper, we introduce the first LLM-based approach, DeFiScope, for detecting DeFi price manipulation attacks in both standard and custom price models. Our insight is that large language models (LLMs) have certain intelligence to abstract price calculation from smart contract source code and infer the trend of token price changes based on the extracted price models. To further strengthen LLMs in this aspect, we leverage Foundry to synthesize on-chain data and use it to fine-tune a DeFi price-specific LLM. Together with the high-level DeFi operations recovered from low-level transaction data, DeFiScope detects various DeFi price manipulations according to systemati
Decentralized finance (DeFi) protocols are crypto projects developed on the blockchain to manage digital assets. Attacks on DeFi have been frequent and have resulted in losses exceeding $80 billion. Current tools detect and locate possible vulnerabilities in contracts by analyzing the state changes that may occur during malicious events. However, this victim-only approaches seldom possess the capability to cover the attacker's interaction intention logic. Furthermore, only a minuscule percentage of DeFi protocols experience attacks in real-world scenarios, which poses a significant challenge for these detection tools to demonstrate practical effectiveness. In this paper, we propose DeFiTail, the first framework that utilizes deep learning technology for access control and flash loan exploit detection. Through feeding the cross-contract static data flow, DeFiTail automatically learns the attack logic in real-world malicious events that occur on DeFi protocols, capturing the threat patterns between attacker and victim contracts. Since the DeFi protocol events involve interactions with multi-account transactions, the execution path with external and internal transactions requires to b
This paper presents OVer, a framework designed to automatically analyze the behavior of decentralized finance (DeFi) protocols when subjected to a "skewed" oracle input. OVer firstly performs symbolic analysis on the given contract and constructs a model of constraints. Then, the framework leverages an SMT solver to identify parameters that allow its secure operation. Furthermore, guard statements may be generated for smart contracts that may use the oracle values, thus effectively preventing oracle manipulation attacks. Empirical results show that OVer can successfully analyze all 10 benchmarks collected, which encompass a diverse range of DeFi protocols. Additionally, this paper also illustrates that current parameters utilized in the majority of benchmarks are inadequate to ensure safety when confronted with significant oracle deviations.
Cryptocurrency can be understood as a digital asset transacted among participants in the crypto economy. Every cryptocurrency must have an associated Blockchain. Blockchain is a Distributed Ledger Technology (DLT) which supports cryptocurrencies, this may be considered as the most promising disruptive technology in the industry 4.0 context. Decentralized finance (DeFi) is a Blockchain-based financial infrastructure, the term generally refers to an open, permissionless, and highly interoperable protocol stack built on public smart contract platforms, such as the Ethereum Blockchain. It replicates existing financial services in a more open and transparent way. DeFi does not rely on intermediaries and centralized institutions. Instead, it is based on open protocols and decentralized applications (Dapps). Considering that there are many digital coins, stablecoins and central bank digital currencies (CBDCs), these currencies should interact among each other sometime. For this interaction the Information Technology elements play an important whole as enablers and IT strategic alignment. This paper considers the strategic alignment model proposed by Henderson and Venkatraman (1993) and Lu
Total value locked (TVL) is widely used to measure the size and popularity of decentralized finance (DeFi). However, TVL can be easily manipulated and inflated through "double counting" activities such as wrapping and leveraging. As existing methodologies addressing double counting are inconsistent and flawed, we propose a new framework, termed "total value redeemable (TVR)", to assess the true underlying value of DeFi. Our formal analysis reveals how DeFi's complex network spreads financial contagion via derivative tokens, increasing TVL's sensitivity to external shocks. To quantify double counting, we construct the DeFi multiplier, which mirrors the money multiplier in traditional finance (TradFi). This measurement reveals substantial double counting in DeFi, finding that the gap between TVL and TVR reached \$139.87 billion during the peak of DeFi activity on December 2, 2021, with a TVL-to-TVR ratio of approximately 2. We conduct sensitivity tests to evaluate the stability of TVL compared to TVR, demonstrating the former's significantly higher level of instability than the latter, especially during market downturns: A 25% decline in the price of Ether (ETH) leads to a \$1 billio
Decentralized Finance (DeFi) refers to financial services that are not necessarily related to crypto-currencies. By employing blockchain for security and integrity, DeFi creates new possibilities that attract retail and institution users, including central banks. Given its novel applications and sophisticated designs, the distinction between DeFi services and understanding the risk involved is often complex. This work systematically presents the major categories of DeFi protocols that cover over 90\% of total value locked (TVL) in DeFi. It establishes a structured methodology to differentiate between DeFi protocols based on their design and architecture. Every DeFi protocol is classified into one of three groups: liquidity pools, pegged and synthetic tokens, and aggregator protocols, followed by risk analysis. In particular, we classify stablecoins, liquid staking tokens, and bridged (wrapped) assets as pegged tokens resembling similar risks. The full risk exposure of DeFi users is derived not only from the DeFi protocol design but also from how it is used and with which tokens.
The rise of Decentralized Finance (DeFi) has brought novel financial opportunities but also exposed serious security vulnerabilities, with flash loans frequently exploited for price manipulation attacks. These attacks, leveraging the atomic nature of flash loans, allow malicious actors to manipulate DeFi protocol oracles and pricing mechanisms within a single transaction, causing substantial financial losses. Traditional smart contract analysis tools address some security risks but often struggle to detect the complex, inter-contract dependencies that make flash loan attacks challenging to identify. In response, we introduce FlashDeFier, an advanced detection framework that enhances static taint analysis to target price manipulation vulnerabilities arising from flash loans. FlashDeFier expands the scope of taint sources and sinks, enabling comprehensive analysis of data flows across DeFi protocols. The framework constructs detailed inter-contract call graphs to capture sophisticated data flow patterns, significantly improving detection accuracy. Tested against a dataset of high-profile DeFi incidents, FlashDeFier identifies 76.4% of price manipulation vulnerabilities, marking a 30%
Decentralized Finance (DeFi) governance models have become increasingly complex due to the involvement of numerous independent agents, each with their own incentives and strategies. To effectively analyze these systems, we propose using Multi Agent Influence Diagrams (MAIDs) as a powerful tool for modeling and studying the strategic interactions within DeFi governance. MAIDs allow for a comprehensive representation of the decision-making processes of various agents, capturing the influence of their actions on one another and on the overall governance outcomes. In this paper, we study a simple governance game that approximates real governance protocols and compute the Nash equilibria using MAIDs. We further outline the structure of a MAID in MakerDAO.
This paper investigates the evolving landscape of decentralized finance (DeFi) by examining its foundational concepts, research trends, and ecosystem. A bibliometric analysis was conducted to identify thematic clusters and track the evolution of DeFi research. Additionally, a thematic review was performed to analyze the roles and interactions of key participants within the DeFi ecosystem, focusing on its opportunities and inherent risks. The bibliometric analysis identified a progression in research priorities, transitioning from an initial focus on technological innovation to addressing sustainability, environmental impacts, and regulatory challenges. Key thematic clusters include decentralization, smart contracts, tokenization, and sustainability concerns. The analysis of participants highlighted the roles of developers, liquidity providers, auditors, and regulators while identifying critical risks such as smart contract vulnerabilities, liquidity constraints, and regulatory uncertainties. The study underlines the transformative potential of DeFi to enhance financial inclusion and transparency while emphasizing the need for robust security frameworks and regulatory oversight to e
Decentralized finance (DeFi) is revolutionizing the traditional centralized finance paradigm with its attractive features such as high availability, transparency, and tamper-proofing. However, attacks targeting DeFi services have severely damaged the DeFi market, as evidenced by our investigation of 80 real-world DeFi incidents from 2017 to 2022. Existing methods, based on symbolic execution, model checking, semantic analysis, and fuzzing, fall short in identifying the most DeFi vulnerability types. To address the deficiency, we propose Context-Sensitive Concolic Verification (CSCV), a method of automating the DeFi vulnerability finding based on user-defined properties formulated in temporal logic. CSCV builds and optimizes contexts to guide verification processes that dynamically construct context-carrying transition systems in tandem with concolic executions. Furthermore, we demonstrate the effectiveness of CSCV through experiments on real-world DeFi services and qualitative comparison. The experiment results show that our CSCV prototype successfully detects 76.25% of the vulnerabilities from the investigated incidents with an average time of 253.06 seconds.