Much of the recent excitement around decentralized finance (DeFi) comes from hopes that DeFi can be a secure, private, less centralized alternative to traditional finance systems. However, people moving to DeFi sites in hopes of improving their security and privacy may end up with less of both as recent attacks have demonstrated. In this work, we improve the understanding of DeFi by conducting the first Web measurements of the security, privacy, and decentralization properties of popular DeFi front ends. We find that DeFi applications -- or dapps -- suffer from the same security and privacy risks that frequent other parts of the Web but those risks are greatly exacerbated considering the money that is involved in DeFi. Our results show that a common tracker can observe user behavior on over 56% of websites we analyzed and many trackers on DeFi sites can trivially link a user's Ethereum address with PII (e.g., user name or demographic information), or phish users by initiating fake Ethereum transactions. Lastly, we establish that despite claims to the opposite, because of companies like Amazon and Cloudflare operating significant Web infrastructure, DeFi as a whole is considerably less decentralized than previously believed.

翻译：近期人们对去中心化金融（DeFi）的热切期待，大多源于其有望成为传统金融体系在安全性、隐私性及去中心化程度上的替代方案。然而，正如近期攻击事件所揭示的，用户为提升安全与隐私而转向DeFi站点，最终可能反而在这两方面都遭受损失。本研究通过首次对主流DeFi前端的安全性、隐私性与去中心化属性开展Web测量，深化了对DeFi的理解。研究发现，DeFi应用（或称dapps）面临与其他Web领域相同的安全与隐私风险，但由于DeFi涉及大量资金流动，这些风险被显著放大。结果显示，一个常见追踪器即可在我们分析的超过56%的网站上观察用户行为，而DeFi站点上的众多追踪器能够轻易地将用户的以太坊地址与个人身份信息（PII）（如用户名或人口统计信息）关联，或通过伪造以太坊交易实施钓鱼攻击。最后，我们证实，尽管存在相反主张，但由于Amazon和Cloudflare等公司运营着重要Web基础设施，DeFi整体的去中心化程度远低于此前认知。