Much of the recent excitement around decentralized finance (DeFi) comes from hopes that DeFi can be a secure, private, less centralized alternative to traditional finance systems. However, people moving to DeFi sites in hopes of improving their security and privacy may end up with less of both as recent attacks have demonstrated. In this work, we improve the understanding of DeFi by conducting the first Web measurements of the security, privacy, and decentralization properties of popular DeFi front ends. We find that DeFi applications -- or dapps -- suffer from the same security and privacy risks that frequent other parts of the Web but those risks are greatly exacerbated considering the money that is involved in DeFi. Our results show that a common tracker can observe user behavior on over 56% of websites we analyzed and many trackers on DeFi sites can trivially link a user's Ethereum address with PII (e.g., user name or demographic information), or phish users by initiating fake Ethereum transactions. Lastly, we establish that despite claims to the opposite, because of companies like Amazon and Cloudflare operating significant Web infrastructure, DeFi as a whole is considerably less decentralized than previously believed.
翻译:最近围绕分散金融(DeFi)的兴奋情绪主要来自人们希望DeFi可以成为传统金融系统的安全、私人、较不集中的替代物。然而,人们为了希望改善安全和隐私而迁移到DeFi网站的人最终可能会像最近的攻击所显示的那样,其最终结果可能比前者少。在这项工作中,我们通过对流行的 DeFi 前端的安全、隐私和权力下放特性进行第一次网络测量,提高了对DeFi的理解。我们发现DeFi 应用程序 -- -- 或Dapps -- -- 受到与经常使用网络其他部分相同的安全和隐私风险,但考虑到DeFi所涉及的资金,这些风险会大大加剧。我们的结果显示,共同的追踪器可以观察我们所分析的56%以上的网站的用户行为,而DeFi网站上的许多跟踪器可以将用户的Etheeum地址与PII(例如用户名或人口信息)或phish用户进行虚假的EEEEEEeum交易, 从而微不足道地连接。最后,我们确认,尽管有人声称相反,因为亚马逊和Cloudflareare经营重要的网络基础设施,但整体的分散程度远不那么大。
相关内容
微信扫码咨询专知VIP会员