Within just four years, the blockchain-based Decentralized Finance (DeFi) ecosystem has accumulated a peak total value locked (TVL) of more than 253 billion USD. This surge in DeFi's popularity has, unfortunately, been accompanied by many impactful incidents. According to our data, users, liquidity providers, speculators, and protocol operators suffered a total loss of at least 3.24 billion USD from Apr 30, 2018 to Apr 30, 2022. Given the blockchain's transparency and increasing incident frequency, two questions arise: How can we systematically measure, evaluate, and compare DeFi incidents? How can we learn from past attacks to strengthen DeFi security? In this paper, we introduce a common reference frame to systematically evaluate and compare DeFi incidents, including both attacks and accidents. We investigate 77 academic papers, 30 audit reports, and 181 real-world incidents. Our data reveals several gaps between academia and the practitioners' community. For example, few academic papers address "price oracle attacks" and "permissonless interactions", while our data suggests that they are the two most frequent incident types (15% and 10.5% correspondingly). We also investigate potential defenses, and find that: (i) 103 (56%) of the attacks are not executed atomically, granting a rescue time frame for defenders; (ii) SoTA bytecode similarity analysis can at least detect 31 vulnerable/23 adversarial contracts; and (iii) 33 (15.3%) of the adversaries leak potentially identifiable information by interacting with centralized exchanges.

翻译：摘要：在短短四年内，基于区块链的去中心化金融（DeFi）生态系统累计峰值锁仓总价值（TVL）已超过2530亿美元。不幸的是，DeFi的流行浪潮伴随着大量具有重大影响的事件。根据我们的数据，从2018年4月30日至2022年4月30日，用户、流动性提供者、投机者及协议运营商遭受的总损失至少达32.4亿美元。鉴于区块链的透明性与事件频发的态势，我们面临两个问题：如何系统性地衡量、评估和比较DeFi事件？如何从既往攻击中汲取教训以强化DeFi安全？本文引入了一个通用参考框架，用于系统性评估和比较DeFi事件（包括攻击与事故）。我们研究了77篇学术论文、30份审计报告及181个真实世界事件。数据显示学术界与实务界之间存在若干认知差距。例如，尽管"预言机价格攻击"和"无许可交互"被我们的数据证实为两类最频繁的事件类型（分别占15%和10.5%），但鲜有学术论文对此予以关注。我们还探讨了潜在防御措施，发现：(i) 103起攻击（56%）未实现原子化执行，为防御者留出了救援时间窗口；(ii) 现有最优（SoTA）字节码相似性分析至少可检测31个脆弱合约/23个恶意合约；(iii) 33名攻击者（15.3%）通过与中心化交易所交互泄露了潜在可识别信息。