A Review on the Security of the Ethereum-Based DeFi Ecosystem

Decentralized finance(DeFi)is a general term for a series of financial products and services.It is based on blockchain technology and has attracted people’s attention because of its open,transparent,and intermediary free.Among them,the DeFi ecosystem based on Ethereum-based blockchains attracts the most attention.However,the current decentralized financial system built on the Ethereum architecture has been exposed to many smart contract vulnerabilities during the last few years.Herein,we believe it is time to improve the understanding of the prevailing Ethereum-based DeFi ecosystem security issues.To that end,we investigate the Ethereum-based DeFi security issues:1)inherited from the real-world financial system,which can be solved by macro-control;2)induced by the problems of blockchain architecture,which require a better blockchain platform;3)caused by DeFi invented applications,which should be focused on during the project development.Based on that,we further discuss the current solutions and potential directions ofDeFi security.According to our research,we could provide a comprehensive vision to the research community for the improvement of Ethereum-basedDeFi ecosystem security.

KSKV:Key-Strategy for Key-Value Data Collection with Local Differential Privacy

In recent years,the research field of data collection under local differential privacy(LDP)has expanded its focus fromelementary data types to includemore complex structural data,such as set-value and graph data.However,our comprehensive review of existing literature reveals that there needs to be more studies that engage with key-value data collection.Such studies would simultaneously collect the frequencies of keys and the mean of values associated with each key.Additionally,the allocation of the privacy budget between the frequencies of keys and the means of values for each key does not yield an optimal utility tradeoff.Recognizing the importance of obtaining accurate key frequencies and mean estimations for key-value data collection,this paper presents a novel framework:the Key-Strategy Framework forKey-ValueDataCollection under LDP.Initially,theKey-StrategyUnary Encoding(KS-UE)strategy is proposed within non-interactive frameworks for the purpose of privacy budget allocation to achieve precise key frequencies;subsequently,the Key-Strategy Generalized Randomized Response(KS-GRR)strategy is introduced for interactive frameworks to enhance the efficiency of collecting frequent keys through group-anditeration methods.Both strategies are adapted for scenarios in which users possess either a single or multiple key-value pairs.Theoretically,we demonstrate that the variance of KS-UE is lower than that of existing methods.These claims are substantiated through extensive experimental evaluation on real-world datasets,confirming the effectiveness and efficiency of the KS-UE and KS-GRR strategies.

WoT/SDN:Web of Things Architecture Using SDN

Wo T(Web of Things) integrates smart devices into Web by reusing and extending Web standards. While Web technology makes the developers' job easier,it faces security,management and efficiency challenges. We propose Wo T/SDN,the architecture of resource oriented Wo T built on SDN(Software Defined Network),in which applications could be developed through resource subscription and Mashup with the programmability provided by SDN. The key components are designed,including Security and Management Controller(SMC),various atomic services and resource subscription syntax. Three applications covering device management,data access and security protection are demonstrated. Compared to traditional resource-oriented Wo T systems,our test results show that SDN,with its logically centralized control capability and awareness of flow forwarding,provides new opportunity to improve performance,simplify management and enhance security for Wo T.

Evaluating the Topology Coverage of BGP Monitors

BGP monitors are currently the main data resource of AS-level topology measurement,and the integrity of measurement result is limited to the location of such BGP monitors.However,there is currently no work to conduct a comprehensive study of the range of measurement results for a single BGP monitor.In this paper,we take the first step to describe the observed topology of each BGP monitor.To that end,we first investigate the construction and theoretical up-limit of the measured topology of a BGP monitor based on the valley-free model,then we evaluate the individual parts of the measured topology by comparing such theoretical results with the actually observed data.We find that:1)for more than 90%of the monitors,the actually observed peer-peer links merely takes a small part of all theoretical visible links;2)increasing the BGP monitors in the same AS may improve the measurement result,but with limited improvement;and 3)deploying multiple BGP monitors in different ASs can significantly improve the measurement results,but non-local BGP monitors can hardly replace the local AS BGP monitors.We also propose a metric for monitor selection optimization,and prove its effectiveness with experiment evaluation.

SHFuzz:A Hybrid Fuzzing Method Assisted by Static Analysis for Binary Programs

Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions.In general,we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug.Based on this observation,we propose a hybrid fuzzing method assisted by static analysis for binary programs.The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths.For this purpose,we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs’weights.The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing.To evaluate the effectiveness of our method,we design and implement a prototype system,namely SHFuzz.The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.

BTC-Shadow: an analysis and visualization system for exposing implicit behaviors in Bitcoin transaction graphs

1 Introduction A Bitcoin ledger comprises a sizable number of transaction records,which can be utilized to make it easier to track and analyze the traits and patterns of cryptocurrency-related transactions.To facilitate the visual analysis of Bitcoin,numerous tools with various aims have been developed.For example,MiningVis[1]and SuPoolVisor[2]are the analytics systems for Bitcoin mining pools,as well as[3-5]focus on the Bitcoin transaction graphs analysis.However,due to our previous research requirements for Bitcoin transaction graphs,none of the available tools can provide exploring the features of connection related to the address and observe significant visual patterns.Specifically,using these tools is challenging to navigate to abnormal node clusters effortlessly from large node groups and then analyze the local interlink characteristics between transaction nodes with interactive analytics.