Imperial College London


Faculty of EngineeringDepartment of Computing

Research Postgraduate



liyi.zhou Website




Huxley BuildingSouth Kensington Campus





Publication Type

8 results found

Qin K, Zhou L, Gamito P, Jovanovic P, Gervais Aet al., 2021, An empirical study of DeFi liquidations, Proceedings of the 21st ACM Internet Measurement Conference

Journal article

Zhou L, Qin K, Cully A, Livshits B, Gervais Aet al., 2021, On the Just-In-Time Discovery of Profit-Generating Transactions in DeFi Protocols, 2021 IEEE Symposium on Security and Privacy (SP), Publisher: IEEE

Conference paper

Qin K, Zhou L, Livshits B, Gervais Aet al., 2021, Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit, FINANCIAL CRYPTOGRAPHY AND DATA SECURITY, FC 2021, PT I, Vol: 12674, Pages: 3-32, ISSN: 0302-9743

Journal article

Zhou L, Qin K, Torres CF, Le DV, Gervais Aet al., 2020, High-Frequency Trading on Decentralized On-Chain Exchanges, 42nd IEEE Symposium on Security and Privacy

Conference paper

Wu C, Zhou L, Xie C, Zheng Y, Yu Jet al., 2019, Data Quality Transaction on Different Distributed Ledger Technologies, International Conference on Big Scientific Data Management

Conference paper

Qin K, Zhou L, Afonin Y, Lazzaretti L, Gervais Aet al., CeFi vs. DeFi -- Comparing Centralized to Decentralized Finance

To non-experts, the traditional Centralized Finance (CeFi) ecosystem may seemobscure, because users are typically not aware of the underlying rules oragreements of financial assets and products. Decentralized Finance (DeFi),however, is making its debut as an ecosystem claiming to offer transparency andcontrol, which are partially attributable to the underlying integrity-protectedblockchain, as well as currently higher financial asset yields than CeFi. Yet,the boundaries between CeFi and DeFi may not be always so clear cut. In this work, we systematically analyze the differences between CeFi andDeFi, covering legal, economic, security, privacy and market manipulation. Weprovide a structured methodology to differentiate between a CeFi and a DeFiservice. Our findings show that certain DeFi assets (such as USDC or USDTstablecoins) do not necessarily classify as DeFi assets, and may endanger theeconomic security of intertwined DeFi protocols. We conclude this work with theexploration of possible synergies between CeFi and DeFi.

Journal article

Wang Z, Chaliasos S, Qin K, Zhou L, Gao L, Berrang P, Livshits B, Gervais Aet al., On How Zero-Knowledge Proof Blockchain Mixers Improve, and Worsen User Privacy

One of the most prominent and widely-used blockchain privacy solutions arezero-knowledge proof (ZKP) mixers operating on top of smart contract-enabledblockchains. ZKP mixers typically advertise their level of privacy through aso-called anonymity set size, similar to k-anonymity, where a user hides amonga set of $k$ other users. In reality, however, these anonymity set claims are mostly inaccurate, as wefind through empirical measurements of the currently most active ZKP mixers. Wepropose five heuristics that, in combination, can increase the probability thatan adversary links a withdrawer to the correct depositor on average by 51.94%(108.63%) on the most popular Ethereum (ETH) and Binance Smart Chain (BSC)mixer, respectively. Our empirical evidence is hence also the first to suggesta differing privacy-predilection of users on ETH and BSC. We further identify105 Decentralized Finance (DeFi) attackers leveraging ZKP mixers as the initialfunds and to deposit attack revenue (e.g., from phishing scams, hackingcentralized exchanges, and blockchain project attacks). State-of-the-art mixers are moreover tightly intertwined with the growingDeFi ecosystem by offering ``anonymity mining'' (AM) incentives, i.e., mixerusers receive monetary rewards for mixing coins. However, contrary to theclaims of related work, we find that AM does not always contribute to improvingthe quality of an anonymity set size of a mixer, because AM tends to attractprivacy-ignorant users naively reusing addresses.

Journal article

Qin K, Zhou L, Gervais A, Quantifying Blockchain Extractable Value: How dark is the forest?

Permissionless blockchains such as Bitcoin have excelled at financialservices. Yet, opportunistic traders extract monetary value from the mesh ofdecentralized finance (DeFi) smart contracts through so-called blockchainextractable value (BEV). The recent emergence of centralized BEV relayerportrays BEV as a positive additional revenue source. Because BEV wasquantitatively shown to deteriorate the blockchain's consensus security, BEVrelayers endanger the ledger security by incentivizing rational miners to forkthe chain. For example, a rational miner with a 10% hashrate will fork Ethereumif a BEV opportunity exceeds 4x the block reward. However, related work is currently missing quantitative insights on past BEVextraction to assess the practical risks of BEV objectively. In this work, weallow to quantify the BEV danger by deriving the USD extracted from sandwichattacks, liquidations, and decentralized exchange arbitrage. We estimate thatover 32 months, BEV yielded 540.54M USD in profit, divided among 11,289addresses when capturing 49,691 cryptocurrencies and 60,830 on-chain markets.The highest BEV instance we find amounts to 4.1M USD, 616.6x the Ethereum blockreward. Moreover, while the practitioner's community has discussed the existence ofgeneralized trading bots, we are, to our knowledge, the first to provide aconcrete algorithm. Our algorithm can replace unconfirmed transactions withoutthe need to understand the victim transactions' underlying logic, which weestimate to have yielded a profit of 57,037.32 ETH (35.37M USD) over 32 monthsof past blockchain data. Finally, we formalize and analyze emerging BEV relay systems, where minersaccept BEV transactions from a centralized relay server instead of thepeer-to-peer (P2P) network. We find that such relay systems aggravate theconsensus layer attacks and therefore further endanger blockchain security.

Journal article

This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.

Request URL: Request URI: /respub/WEB-INF/jsp/search-html.jsp Query String: respub-action=search.html&id=00640400&limit=30&person=true