The growth of the decentralized finance (DeFi) ecosystem built on blockchain technology and smart contracts has led to an increased demand for secure and reliable smart contract development. However, attacks targeting smart contracts are increasing, causing an estimated \$6.45 billion in financial losses. Researchers have proposed various automated security tools to detect vulnerabilities, but their real-world impact remains uncertain. In this paper, we aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks, and their overall usage within the industry. Our comprehensive study encompasses an evaluation of five SoTA automated security tools, an analysis of 127 high-impact real-world attacks resulting in \$2.3 billion in losses, and a survey of 49 developers and auditors working in leading DeFi protocols. Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to \$149 million out of the \$2.3 billion in losses. Notably, all preventable attacks were related to reentrancy vulnerabilities. Furthermore, practitioners distinguish logic-related bugs and protocol layer vulnerabilities as significant threats that are not adequately addressed by existing security tools. Our results emphasize the need to develop specialized tools catering to the distinct demands and expectations of developers and auditors. Further, our study highlights the necessity for continuous advancements in security tools to effectively tackle the ever-evolving challenges confronting the DeFi ecosystem.

翻译：基于区块链技术和智能合约构建的去中心化金融（DeFi）生态系统的增长，催生了对安全可靠的智能合约开发的迫切需求。然而，针对智能合约的攻击日益增多，已造成约64.5亿美元的经济损失。研究者提出了多种自动化安全工具以检测漏洞，但它们在现实世界中的有效性仍不明确。本文旨在揭示自动化安全工具在识别可能引发重大攻击的漏洞方面的实际效果，并探究其在行业中的整体使用情况。我们的综合性研究涵盖了对五种最先进（SoTA）自动化安全工具的评估、对127起导致23亿美元损失的高影响现实世界攻击的分析，以及对来自主流DeFi协议的49名开发者和审计者的问卷调查。研究结果揭示了严峻的现实：这些工具仅能预防数据集中8%的攻击，对应23亿美元损失中的1.49亿美元。值得注意的是，所有可预防的攻击均与重入漏洞相关。此外，从业者将逻辑相关错误和协议层漏洞视为现有安全工具未能充分应对的重大威胁。我们的研究结果强调，亟需开发专门满足开发者和审计者特殊需求与期望的工具。同时，本研究凸显了持续推动安全工具进步的必要性，以有效应对DeFi生态系统面临的前所未有的挑战。