The growth of the decentralized finance (DeFi) ecosystem built on blockchain technology and smart contracts has led to an increased demand for secure and reliable smart contract development. However, attacks targeting smart contracts are increasing, causing an estimated \$6.45 billion in financial losses. Researchers have proposed various automated security tools to detect vulnerabilities, but their real-world impact remains uncertain. In this paper, we aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks, and their overall usage within the industry. Our comprehensive study encompasses an evaluation of five SoTA automated security tools, an analysis of 127 high-impact real-world attacks resulting in \$2.3 billion in losses, and a survey of 49 developers and auditors working in leading DeFi protocols. Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to \$149 million out of the \$2.3 billion in losses. Notably, all preventable attacks were related to reentrancy vulnerabilities. Furthermore, practitioners distinguish logic-related bugs and protocol layer vulnerabilities as significant threats that are not adequately addressed by existing security tools. Our results emphasize the need to develop specialized tools catering to the distinct demands and expectations of developers and auditors. Further, our study highlights the necessity for continuous advancements in security tools to effectively tackle the ever-evolving challenges confronting the DeFi ecosystem.

翻译：基于区块链技术和智能合约构建的去中心化金融（DeFi）生态系统的增长，催生了对安全可靠的智能合约开发的更高需求。然而，针对智能合约的攻击日益增多，已造成约64.5亿美元的经济损失。研究人员提出了各种自动化安全工具来检测漏洞，但其实际效果仍不明确。本文旨在揭示自动化安全工具在识别可能导致高知名度攻击的漏洞方面的有效性，以及它们在行业中的整体使用情况。我们的综合性研究涵盖了对五种最先进的自动化安全工具的评估、对导致23亿美元损失的127次高影响力真实世界攻击的分析，以及对在领先DeFi协议中工作的49名开发者和审计师的调查。我们的发现揭示了一个严峻的现实：这些工具只能预防我们数据集中8%的攻击，即在23亿美元损失中仅涵盖1.49亿美元。值得注意的是，所有可预防的攻击均与重入漏洞相关。此外，从业者将逻辑相关漏洞和协议层漏洞视为现有安全工具未能充分解决的重大威胁。我们的结果强调了有必要开发专门工具，以满足开发者和审计师的不同需求与期望。进一步地，本研究凸显了持续改进安全工具以有效应对DeFi生态系统面临不断演变挑战的必要性。