Publications
8 results found
Wang Z, Chaliasos S, Qin K, et al., 2022, On How Zero-Knowledge Proof Blockchain Mixers Improve, and Worsen User Privacy
Zero-knowledge proof (ZKP) mixers are one of the most widely-used blockchainprivacy solutions, operating on top of smart contract-enabled blockchains. Wefind that ZKP mixers are tightly intertwined with the growing number ofDecentralized Finance (DeFi) attacks and Blockchain Extractable Value (BEV)extractions. Through coin flow tracing, we discover that 205 blockchainattackers and 2,595 BEV extractors leverage mixers as their source of funds,while depositing a total attack revenue of 412.87M USD. Moreover, the US OFACsanctions against the largest ZKP mixer, Tornado.Cash, have reduced the mixer'sdaily deposits by more than 80%. Further, ZKP mixers advertise their level of privacy through a so-calledanonymity set size, which similarly to k-anonymity allows a user to hide amonga set of k other users. Through empirical measurements, we, however, find thatthese anonymity set claims are mostly inaccurate. For the most popular mixerson Ethereum (ETH) and Binance Smart Chain (BSC), we show how to reduce theanonymity set size on average by 27.34% and 46.02% respectively. Our empiricalevidence is also the first to suggest a differing privacy-predilection of userson ETH and BSC. State-of-the-art ZKP mixers are moreover interwoven with the DeFi ecosystemby offering anonymity mining (AM) incentives, i.e., users receive monetaryrewards for mixing coins. However, contrary to the claims of related work, wefind that AM does not necessarily improve the quality of a mixer's anonymityset. Our findings indicate that AM attracts privacy-ignorant users, who then donot contribute to improving the privacy of other mixer users.
Qin K, Zhou L, Gamito P, et al., 2021, An empirical study of DeFi liquidations, Proceedings of the 21st ACM Internet Measurement Conference
Qin K, Zhou L, Afonin Y, et al., 2021, CeFi vs. DeFi -- Comparing Centralized to Decentralized Finance
To non-experts, the traditional Centralized Finance (CeFi) ecosystem may seemobscure, because users are typically not aware of the underlying rules oragreements of financial assets and products. Decentralized Finance (DeFi),however, is making its debut as an ecosystem claiming to offer transparency andcontrol, which are partially attributable to the underlying integrity-protectedblockchain, as well as currently higher financial asset yields than CeFi. Yet,the boundaries between CeFi and DeFi may not be always so clear cut. In this work, we systematically analyze the differences between CeFi andDeFi, covering legal, economic, security, privacy and market manipulation. Weprovide a structured methodology to differentiate between a CeFi and a DeFiservice. Our findings show that certain DeFi assets (such as USDC or USDTstablecoins) do not necessarily classify as DeFi assets, and may endanger theeconomic security of intertwined DeFi protocols. We conclude this work with theexploration of possible synergies between CeFi and DeFi.
Zhou L, Qin K, Cully A, et al., 2021, On the Just-In-Time Discovery of Profit-Generating Transactions in DeFi Protocols, 2021 IEEE Symposium on Security and Privacy (SP), Publisher: IEEE
Qin K, Zhou L, Gervais A, 2021, Quantifying Blockchain Extractable Value: How dark is the forest?
Permissionless blockchains such as Bitcoin have excelled at financialservices. Yet, opportunistic traders extract monetary value from the mesh ofdecentralized finance (DeFi) smart contracts through so-called blockchainextractable value (BEV). The recent emergence of centralized BEV relayerportrays BEV as a positive additional revenue source. Because BEV wasquantitatively shown to deteriorate the blockchain's consensus security, BEVrelayers endanger the ledger security by incentivizing rational miners to forkthe chain. For example, a rational miner with a 10% hashrate will fork Ethereumif a BEV opportunity exceeds 4x the block reward. However, related work is currently missing quantitative insights on past BEVextraction to assess the practical risks of BEV objectively. In this work, weallow to quantify the BEV danger by deriving the USD extracted from sandwichattacks, liquidations, and decentralized exchange arbitrage. We estimate thatover 32 months, BEV yielded 540.54M USD in profit, divided among 11,289addresses when capturing 49,691 cryptocurrencies and 60,830 on-chain markets.The highest BEV instance we find amounts to 4.1M USD, 616.6x the Ethereum blockreward. Moreover, while the practitioner's community has discussed the existence ofgeneralized trading bots, we are, to our knowledge, the first to provide aconcrete algorithm. Our algorithm can replace unconfirmed transactions withoutthe need to understand the victim transactions' underlying logic, which weestimate to have yielded a profit of 57,037.32 ETH (35.37M USD) over 32 monthsof past blockchain data. Finally, we formalize and analyze emerging BEV relay systems, where minersaccept BEV transactions from a centralized relay server instead of thepeer-to-peer (P2P) network. We find that such relay systems aggravate theconsensus layer attacks and therefore further endanger blockchain security.
Qin K, Zhou L, Livshits B, et al., 2021, Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit, FINANCIAL CRYPTOGRAPHY AND DATA SECURITY, FC 2021, PT I, Vol: 12674, Pages: 3-32, ISSN: 0302-9743
- Author Web Link
- Cite
- Citations: 15
Zhou L, Qin K, Torres CF, et al., 2020, High-Frequency Trading on Decentralized On-Chain Exchanges, 42nd IEEE Symposium on Security and Privacy
This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.