Decentralized Finance (DeFi) is a prominent application of smart contracts, representing a novel financial paradigm in contrast to centralized finance. While DeFi applications are rapidly emerging on mainstream blockchain platforms, their quality varies greatly, presenting numerous challenges, particularly in terms of their governance mechanisms. In this paper, we present a comprehensive study of governance issues in DeFi applications. Drawing upon insights from industry reports and academic research articles, we develop a taxonomy to categorize these governance issues. We collect and build a dataset of 4,446 audit reports from 17 Web3 security companies, categorizing their governance issues according to our constructed taxonomy. We conducted a thorough analysis of governance issues and identified vulnerabilities in governance design and implementation, e.g., voting sybil attack and proposal front-running. Our findings highlight a significant observation: the disparity between smart contract code and DeFi whitepapers plays a central role in these governance issues. As an initial step to address the challenges of code-whitepaper consistency checks for DeFi applications, we built a machine-learning-based prototype, and validated its performance on eight widely used DeFi projects, achieving a 56.14% F1 score and a 80% recall. Our study culminates in providing several key practical implications for various DeFi stakeholders, including developers, users, researchers, and regulators, aiming to deepen the understanding of DeFi governance issues and contribute to the robust growth of DeFi systems.

翻译：去中心化金融（DeFi）是智能合约的重要应用，代表了与中心化金融相对的新型金融范式。尽管DeFi应用在主流区块链平台上迅速涌现，但其质量参差不齐，带来了诸多挑战，尤其是在治理机制方面。本文对DeFi应用中的治理问题进行了全面研究。通过借鉴行业报告和学术研究文章，我们构建了一个分类体系来对这些治理问题进行归类。我们收集并构建了一个包含来自17家Web3安全公司的4446份审计报告的数据集，并根据所构建的分类体系对其治理问题进行了分类。我们对治理问题进行了深入分析，识别了治理设计与实现中的漏洞，例如投票女巫攻击和提案抢先交易。研究结果凸显了一个重要发现：智能合约代码与DeFi白皮书之间的差异是这些治理问题的核心原因。作为解决DeFi应用代码-白皮书一致性检查挑战的初步尝试，我们构建了一个基于机器学习的原型，并在八个广泛使用的DeFi项目上验证了其性能，实现了56.14%的F1分数和80%的召回率。我们的研究最终为各类DeFi利益相关者（包括开发者、用户、研究人员和监管机构）提供了若干关键实践启示，旨在加深对DeFi治理问题的理解，并促进DeFi系统的稳健发展。