On the Just-In-Time Discovery of Profit-Generating Transactions in DeFi Protocols
论及时发现 DeFi 协议中的创利交易

Liyi Zhou, Kaihua Qin, Antoine Cully, Benjamin Livshits and Arthur Gervais
周丽怡、秦凯华、安托万-库利、本杰明-利夫希茨和阿瑟-热尔韦Imperial College London, United Kingdom
英国伦敦帝国学院

Abstract 摘要

Decentralized Finance (DeFi) is a blockchain-assetenabled finance ecosystem with millions of daily USD transaction volume, billions of locked up USD, as well as a plethora of newly emerging protocols (for lending, staking, and exchanges). Because all transactions, user balances, and total value locked in DeFi are publicly readable, a natural question that arises is: how can we automatically craft profitable transactions across the intertwined DeFi platforms?
去中心化金融（DeFi）是一个支持区块链资产的金融生态系统，每天有数百万美元的交易量、数十亿美元的锁定值以及大量新兴协议（用于借贷、抵押和交换）。由于锁定在 DeFi 中的所有交易、用户余额和总价值都是公开可读的，因此自然而然会产生一个问题：我们如何才能在相互交织的 DeFi 平台上自动创建有利可图的交易？

In this paper, we investigate two methods that allow us to automatically create profitable DeFi trades, one well-suited to arbitrage and the other applicable to more complicated settings. We first adopt the Bellman-Ford-Moore algorithm with DEFIPOSERARB and then create logical DeFi protocol models for a theorem prover in DEFIPoser-SMT. While DEFIPOSER-ARB focuses on DeFi transactions that form a cycle and performs very well for arbitrage, DEFIPOSER-SMT can detect more complicated profitable transactions. We estimate that DEFIPOSER-ARB and DEFIPOSER-SMT can generate an average weekly revenue of $191.48 E T H (76, 592 U S D)$ and $72.44 E T H (28, 976 U S D)$ respectively, with the highest transaction revenue being 81.31 ETH ( 32,524 USD) and 22.40 ETH ( 8,960 USD) respectively. We further show that DEFIPOSER-SMT finds the known economic bZx attack from February 2020, which yields 0.48 M USD. Our forensic investigations show that this opportunity existed for 69 days and could have yielded more revenue if exploited one day earlier. Our evaluation spans 150 days, given 96 DeFi protocol actions, and 25 assets.
在本文中，我们研究了两种可以自动创建有利可图的 DeFi 交易的方法，一种非常适合套利，另一种适用于更复杂的环境。我们首先使用 DEFIPOSERARB 采用 Bellman-Ford-Moore 算法，然后在 DEFIPoser-SMT 中为定理证明器创建逻辑 DeFi 协议模型。DEFIPOSER-ARB 专注于形成循环的 DeFi 交易，在套利方面表现出色，而 DEFIPOSER-SMT 则能检测到更复杂的盈利交易。我们估计，DEFIPOSER-ARB 和 DEFIPOSER-SMT 可产生的平均周收益分别为 $191.48 E T H (76, 592 U S D)$ 和 $72.44 E T H (28, 976 U S D)$ ，最高交易收益分别为 81.31 ETH（32524 美元）和 22.40 ETH（8960 美元）。我们进一步表明，DEFIPOSER-SMT 发现了 2020 年 2 月的已知经济 bZx 攻击，其收益为 0.48 百万美元。我们的取证调查显示，这一机会存在了 69 天，如果早一天利用，可能会产生更多收入。我们的评估时间跨度为 150 天，涉及 96 个 DeFi 协议操作和 25 项资产。

Looking beyond the financial gains mentioned above, forks deteriorate the blockchain consensus security, as they increase the risks of double-spending and selfish mining. We explore the implications of DEFIPOSER-ARB and DEFIPOSER-SMT on blockchain consensus. Specifically, we show that the trades identified by our tools exceed the Ethereum block reward by up to $874 \times$ . Given optimal adversarial strategies provided by a Markov Decision Process (MDP), we quantify the value threshold at which a profitable transaction qualifies as Miner Extractable Value (MEV) and would incentivize MEV-aware miners to fork the blockchain. For instance, we find that on Ethereum, a miner with a hash rate of $10 %$ would fork the blockchain if an MEV opportunity exceeds $4 \times$ the block reward.
除了上述经济收益之外，分叉还会恶化区块链共识的安全性，因为它们会增加双重支出和自私挖矿的风险。我们探讨了 DEFIPOSER-ARB 和 DEFIPOSER-SMT 对区块链共识的影响。具体来说，我们表明，我们的工具所确定的交易最多会超出以太坊区块奖励 $874 \times$ 。鉴于马尔可夫决策过程（Markov Decision Process，MDP）提供的最优对抗策略，我们量化了盈利交易符合矿工可提取价值（Miner Extractable Value，MEV）的价值阈值，并激励具有 MEV 意识的矿工分叉区块链。例如，我们发现在以太坊上，如果 MEV 机会超过区块奖励 $4 \times$ ，散列率为 $10 %$ 的矿工就会分叉区块链。

I. INTRODUCTION I.引言

Blockchain-based decentralized finance protocols (commonly referred to as DeFi ) have attracted a recent surge in popularity and value stored exceeding 13 billion USD. The currently most popular DeFi platforms are based on the Ethereum blockchain and its system of smart contracts, which regularly gives nascence to new applications, mirrored and inspired by the traditional centralized finance system. Examples are asset exchanges [24], [58], margin trading [3], [24], lending/borrowing platforms [27], [30], and derivatives [27]. DeFi , moreover, can surprise with novel use-cases such as
基于区块链的去中心化金融协议（通常称为 DeFi）最近大受欢迎，其价值已超过 130 亿美元。目前最流行的 DeFi 平台基于以太坊区块链及其智能合约系统，该系统定期推出新的应用，与传统的中心化金融系统相呼应，并受到其启发。例如，资产交易所[24]、[58]、保证金交易[3]、[24]、借贷平台[27]、[30]和衍生品[27]。此外，DeFi 还能为新的用例带来惊喜，例如

Fig. 1: DEFIPOSER-ARB and DEFIPOSER-SMT system overview. In DEFIPOSER-SMT, we (2) Create logical models, (3) paths are created and trimmed with heuristics and (4) used within a theorem prover to generate a transaction. In DEFIPOSER-ARB we (2) build a graph of the blockchain state, (3) identify negative cycles, (4) perform a local search and repeat. The transaction with the highest revenue is (5) concretely evaluated before being mined in the next block.
图 1：DEFIPOSER-ARB 和 DEFIPOSER-SMT 系统概述。在 DEFIPOSER-SMT 中，我们（2）创建逻辑模型，（3）创建路径并使用启发式方法进行修剪，（4）在定理证明器中用于生成交易。在 DEFIPOSER-ARB 中，我们(2) 建立区块链状态图，(3) 识别负循环，(4) 执行局部搜索并重复。收入最高的交易（5）将在下一个区块挖矿前得到具体评估。
constant product market maker exchanges [26], [58] and flash loans - instant loans where the lender bears no risk that the borrower does not repay the loan [4], [24], [53].
恒定产品做市商交易所[26]、[58]和闪电贷款--贷款人不承担借款人不偿还贷款的风险的即时贷款[4]、[24]、[53]。

A peculiarity of DeFi platforms is their ability to interoperate; e.g., one may borrow a cryptocurrency asset on one platform, exchange the asset on another, and for instance, lend the resulting asset on a third system. DeFi’s composability has led to the emergence of chained trading and arbitrage opportunities throughout the tightly intertwined DeFi space. Reasoning about what this easy composition entails is not particularly simple; on one side, atomic composition allows to perform risk-free arbitrage - that is to equate asset prices on different DeFi markets. Arbitrage is a benign and important endeavor to keep markets synchronized.
DeFi 平台的一个特点是能够互操作；例如，人们可以在一个平台上借入加密货币资产，在另一个平台上交换该资产，例如，在第三个系统上借出由此产生的资产。DeFi 的可组合性导致整个紧密交织的 DeFi 空间出现了连锁交易和套利机会。推理这种易组合性的含义并不特别简单；一方面，原子组合允许进行无风险套利--即在不同的 DeFi 市场上将资产价格等同起来。套利是保持市场同步的良性而重要的努力。
On the other side, we have seen multi-million-revenue trades that cleverly use the technique of flash loans to exploit economic states in DeFi protocols (e.g., the economic attack on bZx [3], [53] Harvest Finance [28], Value Defi [23] and others [5], [55]). While exploiting economic states, however, is not a security attack in the traditional sense, the practitioners’ community often frames these high-revenue trades as “hacks.”
另一方面，我们也看到一些收入达数百万美元的交易巧妙地利用闪贷技术来利用 DeFi 协议中的经济状态（例如对 bZx [3], [53] 嘉实金融 [28], Value Defi [23] 和其他协议 [5], [55]的经济攻击）。然而，虽然利用经济状态并不是传统意义上的安全攻击，但从业者群体往往将这些高收益交易归为 "黑客 "行为。

Yet, the executing trader follows the rules set forth by the deployed smart contracts. Irrespective of the framing, liquidity providers engaging with DeFi experience millions of USD in unexpected losses. This highlights the need for automated tools that help protocol designers and liquidity providers to understand arbitrage and financial implications in general when engaging with DeFi protocols.
然而，执行交易者遵循的是已部署的智能合约规定的规则。无论框架如何，使用 DeFi 的流动性提供商都会遭受数百万美元的意外损失。这凸显了对自动化工具的需求，这些工具可以帮助协议设计者和流动性提供者在使用 DeFi 协议时了解套利和一般财务影响。
DEFIPOSER-ARB and DEFIPOSER-SMT: This paper presents two tools (cf. Figure 1) that automatically create transactions to compose existing DeFi protocols to generate revenue that can be extracted from the Ethereum ecosystem. They are designed to run in real-time: at every block, they can find (and execute) a new profit-generating transaction; we show how our running time of an unoptimized implementation requires an average of 6.43 seconds and 5.39 seconds on a recent Ethereum block (for DEFIPOSER-ARB and DEFIPOSER-SMT respectively), which is below Ethereum’s average block time of 13.5 seconds [9]. We would like to point out that DEFIPOSER-ARB and DEFIPOSER-SMT, are best-effort tools: because the state of the blockchain and DeFi platforms may change at each block, it is important to operate in real-time, otherwise found trading opportunities might be outdated. Therefore, we made the choice of prioritizing execution speed over completeness, and we do not claim to find optimal strategies.
DEFIPOSER-ARB 和 DEFIPOSER-SMT：本文介绍了两个工具（参见图 1），它们可以自动创建交易，以组成现有的 DeFi 协议，从而产生可从以太坊生态系统中提取的收入。这两款工具旨在实时运行：在每个区块，它们都能找到（并执行）新的创收交易；我们展示了未经优化的实现在最近的以太坊区块上的平均运行时间（DEFIPOSER-ARB 和 DEFIPOSER-SMT分别为 6.43 秒和 5.39 秒），低于以太坊 13.5 秒的平均区块时间[9]。我们想指出的是，DEFIPOSER-ARB 和 DEFIPOSER-SMT 是尽力而为的工具：由于区块链和 DeFi 平台的状态可能会在每个区块发生变化，因此实时操作非常重要，否则发现的交易机会可能会过时。因此，我们选择优先考虑执行速度而非完整性，而且我们并不声称找到了最优策略。

To the best of our knowledge, we are the first to provide automated transaction search mechanisms for composable DeFi protocols. The main risks for a trader using the tools that we consider within this work are currency exposure (i.e., price volatility risks) and the blockchain transaction fees. We discover that significant revenue can be generated with less than 1 ETH of initial capital when using flash loans.
据我们所知，我们是第一家为可组合 DeFi 协议提供自动交易搜索机制的公司。我们在这项工作中考虑的交易者使用工具的主要风险是货币风险（即价格波动风险）和区块链交易费用。我们发现，在使用闪贷时，只需不到 1 ETH 的初始资金就能产生可观的收入。

Our contributions are as follows:
我们的贡献如下

DeFiPoser-ARB: We build a directed DeFi market graph and identify negative cycles with the Bellman-Ford-Moore algorithm. A local search then allows us to discover parameters for profitable arbitrage transactions in near-real-time (average of 6.43 seconds per block).
DeFiPoser-ARB：我们构建了一个有向 DeFi 市场图，并使用 Bellman-Ford-Moore 算法识别负循环。然后，通过局部搜索，我们可以在近乎实时的时间内（平均每个区块 6.43 秒）发现有利可图的套利交易参数。
DEFIPoSER-SMT and Space Reduction: To discover more demanding trades than arbitrage, we model the DeFi systems using a state transition model, which we translate to a logical representation in the Z 3 theorem prover. We introduce heuristics to significantly prune the search space to achieve a near real-time transaction discovery (average of 5.39 seconds per block).
DEFIPoSER-SMT 和空间缩减：为了发现比套利要求更高的交易，我们使用状态转换模型对 DeFi 系统进行建模，并将其转化为 Z 3 定理证明器中的逻辑表示。我们引入了启发式方法来大幅削减搜索空间，以实现接近实时的交易发现（平均每个区块 5.39 秒）。
Miner Extractable Value (MEV) and Security: We show how DEFIPOSER-SMT discovers the economic attack on bZx, which yields over 0.48 M USD, and that this opportunity window was open for over 69 days. Given optimal adversarial mining strategies provided by a Markov Decision Process, we show quantitatively that MEV opportunities can deteriorate the blockchain security. For example, a rational MEV-aware miner with a hash rate of $10 %$ will fork the blockchain if an MEV opportunity exceeds 4 times the block reward and the
矿工可提取价值 (MEV) 和安全性：我们展示了 DEFIPOSER-SMT 如何发现对 bZx 的经济攻击，该攻击产生了超过 48 万美元的收益，而且该机会窗口开放时间超过 69 天。考虑到马尔可夫决策过程提供的最佳对抗性挖矿策略，我们从数量上表明，MEV 机会会降低区块链的安全性。例如，一个哈希率为 $10 %$ 的理性MEV感知矿工会在MEV机会超过区块奖励的4倍时分叉区块链，而当MEV机会超过 $10 %$ 时，该矿工就会分叉区块链。
miner failed to claim the source of MEV.
矿工未能申报 MEV 的来源。
Trading Strategy Validation: We validate the trading strategies discovered by DEFIPOSER-ARB and DEFIPOSER-SMT on a locally-deployed blockchain that mirrors the real network. We estimate that the found strategies yield 4,103.22 ETH (1,641,288 USD) and $1, 552.32$ ETH (620,928 USD) of profit between the Ethereum block $9, 100, 000$ to $10, 050, 000$ ( 150 days from December 2019 to May 2020). We demonstrate that our tools’ capital requirements are minimal: the majority of the strategies require less than 150.00 ETH (60,000 USD), and only 0.40 ETH (160 USD) when using flash loans.
交易策略验证：我们在本地部署的反映真实网络的区块链上验证了 DEFIPOSER-ARB 和 DEFIPOSER-SMT 发现的交易策略。我们估计，在以太坊区块 $9, 100, 000$ 到 $10, 050, 000$ 之间（从 2019 年 12 月到 2020 年 5 月的 150 天），发现的策略产生了 4,103.22 ETH（1,641,288 美元）和 $1, 552.32$ ETH（620,928 美元）的利润。我们证明，我们的工具对资金的要求极低：大多数策略所需的资金不到 150.00 ETH（60,000 美元），使用闪贷时只需 0.40 ETH（160 美元）。
Paper organization: The remainder of the paper is organized as follows. Section II elaborates on the DeFi background, discusses stable coins and flash loans. Section III describes how we encode DeFi protocols into state transition models. Section IV applies negative cycle detection to find DeFi arbitrage opportunities. Section V presents our heuristics and techniques to enable the autonomous discovery of adversarial strategies. Section VI presents our empirical evaluation and quantitative analysis of the found strategies on previous Ethereum blockchain blocks. Section VII discusses DEFIPOSER’s blockchain security implication. We discuss related works in Section VIII and conclude the paper in Section IX.
论文结构：本文的其余部分安排如下。第二节阐述了 DeFi 的背景，讨论了稳定币和闪贷。第三节介绍我们如何将 DeFi 协议编码为状态转换模型。第 IV 节应用负循环检测来寻找 DeFi 套利机会。第五节介绍了我们自主发现对抗策略的启发式方法和技术。第六节介绍我们在以太坊区块链上对发现的策略进行的实证评估和定量分析。第七节讨论 DEFIPOSER 的区块链安全含义。我们在第八节讨论相关工作，并在第九节对本文进行总结。

II. BACKGROUND II.背景情况

In this section, we outline the required background for DeFi . For extensive background on blockchains and smart contracts, we refer the interested reader to [6], [11].
在本节中，我们将概述 DeFi 所需的背景。有关区块链和智能合约的大量背景资料，我们请感兴趣的读者参阅 [6]、[11]。

A. Decentralized Finance (DeFi)
A.分散式融资（DeFi）

Decentralized Finance ( DeFi ) refers to a financial ecosystem that is built on top of (permissionless) blockchains [59]. DeFi supports a multitude of different financial applications [3], [4], [24], [24], [24], [27], [27], [30], [53], [58]. The current DeFi landscape is mostly built upon smart contract enabled blockchains (e.g., Ethereum). We briefly summarize relevant DeFi platforms.
去中心化金融（DeFi）是指建立在（无权限）区块链之上的金融生态系统[59]。DeFi 支持多种不同的金融应用 [3]、[4]、[24]、[24]、[27]、[27]、[30]、[53]、[58]。当前的 DeFi 平台大多建立在支持智能合约的区块链（如以太坊）上。我们简要总结一下相关的 DeFi 平台。
Automated Market Maker (AMM): In traditional finance, asset exchanges are usually operated in the form of order matching. Asks and bids are matched in a centralized limit order book, typically following the FIFO principle [17]. In DeFi , such an order matching mechanism would be inefficient because the number of transactions per second supported by the underlying blockchain is usually limited. Therefore, AMM minimizes the number of transactions required to balance an on-chain asset exchange. AMM allows liquidity providers, the traders who are willing to provide liquidity to the market, to deposit assets into a liquidity pool. Liquidity takers then directly trade against the AMM liquidity pool according to a predefined pricing mechanism. The constant product AMM is currently the most common model (adopted by over

66 %

of the AMM DEX), where the core idea is to keep the product of the asset amounts in the liquidity pool constant. Consider a constant product AMM that trades the asset pair

X / Y . x

and
自动做市商（AMM）：在传统金融中，资产交易所通常以订单匹配的形式运作。买入价和卖出价在中央限价订单簿中进行匹配，通常遵循先进先出原则[17]。在 DeFi 中，这种订单匹配机制效率低下，因为底层区块链每秒支持的交易数量通常有限。因此，AMM 最大限度地减少了平衡链上资产交易所所需的交易数量。AMM 允许流动性提供者（愿意为市场提供流动性的交易者）将资产存入流动性池。然后，流动性接受者根据预定的定价机制直接与 AMM 流动性池进行交易。恒定产品 AMM 是目前最常见的模式（超过

66 %

的 AMM DEX 采用），其核心思想是保持流动性池中资产数量的乘积不变。考虑一个恒定产品 AMM，交易资产对

X / Y . x

和

y

are the amount of

X

and

Y

respectively in the liquidity pool. A liquidity taker attempts to sell

Δ x

X

and get

Δ y

Y

in exchange. The constant product rule stipulates that

x \times y = (x + Δ x) \times (y - Δ y)

. Uniswap [58] is the most dominating constant product AMM with a market capitalization of 1.4B USD [52]. Variant AMMs utilize different pricing formulas, e.g., Bancor [40], while other platforms (e.g., Kyber [46]) aggregate AMMs. When receiving an order from a user, these platforms redirect the order to the AMM, which provides the best asset price.

y

分别是流动性池中

X

和

Y

的数量。流动性接受者试图出售

X

中的

Δ x

并换取

Y

中的

Δ y

。恒积规则规定

x \times y = (x + Δ x) \times (y - Δ y)

。Uniswap [58] 是最主要的恒定产品 AMM，市值达 14 亿美元 [52]。不同的 AMM 采用不同的定价公式，如 Bancor [40]，而其他平台（如 Kyber [46]）则聚合 AMM。当收到用户订单时，这些平台会将订单重定向到提供最佳资产价格的 AMM。
Stablecoin: Stablecoins are a class of cryptocurrencies designed to alleviate the blockchain price volatility [49]. The most salient solution for stabilization is to peg the price of stablecoins to a less-volatile currency (e.g., USD) [50]. There exist over 200 stablecoin projects announced since 2014 [2]. Among them, SAI and DAI developed by MakerDAO [30] have received extensive attention. Both SAI and DAI are collateral-backed stablecoins. SAI is collateralized solely by ETH, whereas DAI is an SAI upgrade to support multiple assets as collateral. At the time of writing, the collateral locked in MakerDAO amounts to 2.73B USD [52].
稳定币：稳定币是一类旨在缓解区块链价格波动的加密货币[49]。最突出的稳定解决方案是将稳定币的价格与波动较小的货币（如美元）挂钩 [50]。自 2014 年以来，已有 200 多个稳定币项目公布[2]。其中，由 MakerDAO [30] 开发的 SAI 和 DAI 受到了广泛关注。SAI 和 DAI 都是有抵押物支持的稳定币。SAI 仅以 ETH 作为抵押，而 DAI 则是 SAI 的升级版，支持多种资产作为抵押。在撰写本文时，MakerDAO 中锁定的抵押品已达 27.3 亿美元[52]。

Flash Loans: The Ethereum blockchain operates similarly to a replicated state machine. Transactions trigger state transitions and provide the input data necessary for the Ethereum Virtual Machine (EVM) state to change according to rules set by smart contracts. Interestingly, the EVM state is only affected by a transaction if the transaction executes without failure. In the case of a failed transaction, the EVM state is reverted to the previous state, but the transaction fees are still paid to miners (as in to avoid Denial of Service attacks). A transaction can fail due to the following three reasons: Either the transaction sender did not specify a sufficient amount of transaction fees, or the transaction does not meet a condition set forth by the interacting smart contract, or the transaction is conflicting (e.g., double-spending) with another transaction.
闪贷：以太坊区块链的运行类似于复制状态机。交易触发状态转换，并提供必要的输入数据，使以太坊虚拟机（EVM）的状态根据智能合约设定的规则发生变化。有趣的是，EVM 状态只有在交易无故障执行的情况下才会受到交易的影响。在交易失败的情况下，EVM 状态会恢复到之前的状态，但交易费用仍会支付给矿工（以避免拒绝服务攻击）。交易失败可能有以下三种原因：要么是交易发送者没有指定足够的交易费用，要么是交易不符合交互智能合约规定的条件，要么是交易与其他交易冲突（如重复支出）。

This concept of a state reversion enables the introduction of flash loans, short-lived loans that execute atomically within only one blockchain transaction. Within a single transaction, (i) the loan is taken from a liquidity pool, (ii) the loan is put to use, and (iii) the loan (plus interest payment) is paid back to the flash loan pool. If the third condition is not met, i.e., the loan plus interests are not paid back, then the entire flash loan transaction fails. This is equivalent to the case that the loan was never issued because the EVM state is not modified out of the result of a failed transaction.
这种状态还原的概念使得闪贷成为可能，这种短期贷款只在一次区块链交易中原子式地执行。在一次交易中，(i) 从流动资金池中提取贷款，(ii) 将贷款投入使用，(iii) 将贷款（连同利息支付）返还给闪贷资金池。如果不满足第三个条件，即贷款和利息没有偿还，则整个闪贷交易失败。这等同于贷款从未发放，因为 EVM 状态不会因交易失败的结果而改变。

Flash loans, therefore, entail two interesting properties. First, the lender is guaranteed that the borrower will repay the loan. If the repayment is not performed, the loan would not be given. Second, the borrower can technically request any amount of capital, up to the amount of funds available in a flash loan pool, given a constant payment which corresponds to the blockchain transaction fees (about 10 USD for the most common flash loan providers). The borrower hence can have access to millions of USD with just a few initial USD and hence is not exposed to the currency risk of the lent asset.
因此，闪电贷款有两个有趣的特性。首先，贷款人保证借款人会偿还贷款。如果不还款，就不会发放贷款。其次，从技术上讲，借款人可以申请任何金额的资金，只要支付与区块链交易费用（最常见的闪电贷款提供商约为 10 美元）相当的固定费用，就可以获得闪电贷款池中的可用资金。因此，借款人只需支付几美元的初始资金，就可以获得数百万美元的资金，而且不会面临借出资产的货币风险。

Fig. 2: Example strategy across three DeFi markets, identified at Ethereum block 10,001, 087, which would yield a revenue of

7.81 ETH (3, 124 USD)

.
图 2：在以太坊区块 10,001,087 上确定的三个 DeFi 市场的策略示例，可产生

7.81 ETH (3, 124 USD)

的收益。

III. DEFi MODELING III.定义模型

We proceed to introduce our system, trader, and state transition model for the interaction between DeFi platforms. On a high level, our model state consists of the DeFi market states, as well as the cryptocurrency asset balances of a trader

T

. The transitions represent DeFi actions performed by the trader

T

on the respective DeFi platforms. The goal of the trader is to maximize the amount of cryptocurrency assets held.
接下来，我们将介绍 DeFi 平台之间交互的系统、交易者和状态转换模型。从高层次来看，我们的模型状态由 DeFi 市场状态以及交易者

T

的加密货币资产余额组成。转换代表交易者

T

在各自 DeFi 平台上执行的 DeFi 操作。交易者的目标是最大化所持有的加密货币资产。

A. System Model A.系统模型

Our system consists of a blockchain with financial cryptocurrency assets (i.e., coins or tokens). Cryptocurrency assets can be used within DeFi platforms (i.e., markets), such as exchanges, lending, and borrowing platforms. Each DeFi platform offers a set of actions, which can be triggered by a transaction. Actions take an asset as input and yield, for instance, another asset as output. Multiple actions can be encapsulated in one transaction and executed atomically in sequence. A path, is a sequence of actions across DeFi platforms. We denote as strategy (cf. Figure 2), or transaction, a path with parameters for each action (such as coin amounts, etc.). We consider a state of a DeFi market to change whenever an action manipulates the amount of assets within this DeFi market. Note that we only consider the blockchain state at block-height

i

after the execution of all transactions within a block

i

(i.e., we do not consider intermittent block states).
我们的系统由带有金融加密货币资产（即硬币或代币）的区块链组成。加密货币资产可在 DeFi 平台（即市场）中使用，如交易所、借贷平台。每个 DeFi 平台都提供一套可由交易触发的操作。操作将资产作为输入，并产生另一种资产作为输出。多个操作可封装在一个交易中，并按顺序原子执行。路径是指跨 DeFi 平台的行动序列。我们将带有每个行动参数（如硬币数量等）的路径称为策略（参见图 2）或事务。我们认为，每当一个行为操纵了 DeFi 市场中的资产数量时，该 DeFi 市场的状态就会发生变化。请注意，我们只考虑一个区块

i

内所有交易执行完毕后区块高度

i

的区块链状态（即我们不考虑间歇性的区块状态）。

B. Trader Model B.交易员模式

We consider a computationally bounded trader (denoted by

T

) which is capable of executing transactions (i.e., perform actions) across a set of DeFi platforms. T’s cryptocurrency assets are limited by the supply of liquidity available in public flash loan pools [53]. The trader is capable of reading the blockchain contents but is not expected to observe unconfirmed blockchain transactions on the network layer. We assume that the trader is capable of placing a transaction ahead of other DeFi transactions within a future blockchain block. Practically, this requires the trader to pay a higher transaction fee, as most miners appear to order transactions based on gas price. We assume that the trader is not colluding with a miner, while this may present an interesting avenue for future work.
我们考虑一个计算受限的交易者（用

T

表示），它能够在一组 DeFi 平台上执行交易（即执行操作）。T 的加密货币资产受到公共闪存贷款池中可用流动性供应的限制 [53]。交易者能够读取区块链内容，但预计不会在网络层观察到未经确认的区块链交易。我们假设交易者有能力在未来的区块链区块中将交易置于其他 DeFi 交易之前。实际上，这需要交易者支付更高的交易费，因为大多数矿工似乎是根据天然气价格来下单交易的。我们假设交易者没有与矿工串通，但这可能是未来工作的一个有趣方向。
We assume that the trader is operating on the blockchain head, i.e., the most recently mined, valid block, of the respective blockchain. In the case of a Proof-of-Work (PoW) blockchain, the most recent block shall also be the one with the most PoW (i.e., the greatest difficulty). For simplicity, we ignore complications resulting from blockchain forks.
我们假设交易者是在区块链头（即最近挖掘出的有效区块）上进行操作。在工作证明（PoW）区块链的情况下，最近的区块也应是PoW最多（即难度最大）的区块。为简单起见，我们忽略了区块链分叉导致的复杂性。

C. Notation C.符号

To ease the understanding of the following paragraphs, we proceed by introducing the utilized notation.
为了便于理解下面的段落，我们首先介绍所使用的符号。
Assets: The set

C

denotes the collection of cryptocurrency assets, which the trader uses to generate trading strategies.
资产：集合

C

表示加密货币资产集合，交易者使用这些资产生成交易策略。
Actions: The set

A

denotes the collection of actions the trader selects from the DeFi protocols.
行动：集合

A

表示交易者从 DeFi 协议中选择的行动集合。
Parameters: The trader

T

must supply parameters to execute actions

a \in A

, e.g., the amounts of cryptocurrency assets

T

sends to the corresponding DeFi platforms.
参数：交易者

T

必须提供参数以执行操作

a \in A

，例如，向相应 DeFi 平台发送加密货币资产

T

的金额。
Path: A path

p \in P

is a sequence of

n

non-repeated actions drawn from

A

. We denote the power set of all actions with

℘ (A)

, which consists of all subsets of the action set

A

, including the empty set. Given a subset

K \in ℘ (A)

, we denote the permutations set of

K

with

S (K)

. The collection of all paths

P

can then be defined using Equation 1. Note

P

consists of paths of different lengths.
路径：路径

p \in P

是从

A

中抽取的

n

非重复动作的序列。我们用

℘ (A)

表示所有操作的幂集，它由操作集

A

的所有子集组成，包括空集。给定子集

K \in ℘ (A)

，我们用

S (K)

表示

K

的排列集合。所有路径的集合

P

可以用等式 1 来定义。注意

P

包含不同长度的路径。

\begin{aligned} P = \cup_{K}^{℘_{(A)}} S (K), s.t. & \forall p = (a_{1}, a_{2}, \dots, a_{n}) \in P \\ a_{i} \in A, \forall i \in [1, n] \\ a_{i} \neq a_{j}, \forall a_{i}, a_{j} \in A, i \neq j \end{aligned}

Strategy: A strategy consists a path

p \in P

with

n

actions, a list of parameters

[x_{1}, \dots, x_{n}]

for each action in

p

, and an initial state (cf. Equation 4) of the model.
策略策略由包含

n

行动的路径

p \in P

、

p

中每个行动的参数列表

[x_{1}, \dots, x_{n}]

和模型的初始状态（参见公式 4）组成。
Balance function: Given a strategy with

n

actions, the balance function

B_{i}^{T} (c)

denotes

T

's balance for cryptocurrency asset

c

after performing the

i^{th}

action, where

0 \leq i \leq n

and

c \in C

.
余额函数：给定一个包含

n

操作的策略，余额函数

B_{i}^{T} (c)

表示

T

执行

i^{th}

操作后加密货币资产

c

的余额，其中

0 \leq i \leq n

和

c \in C

.
Storage function:

K (a)

denotes the set of smart contract storage variable addresses an action

a

reads from and writes to. These addresses are identified from the underlying blockchain runtime environment. We use

K^{T} (a)

to denote a subset of

K (a)

, which is only relevant to the trader

T

.
存储功能：

K (a)

表示操作

a

读取和写入的智能合约存储变量地址集。这些地址是从底层区块链运行环境中识别出来的。我们使用

K^{T} (a)

表示

K (a)

的子集，它只与交易者

T

有关。

D. States D.国家

We classify the state variables into two categories, the trader and DeFi states.

S^{T}

represents the trader’s asset portfolio (cf. Equation 2).

S^{DeFi}

is the set of all storage variables

T

reads from and writes to, for all the DeFi actions in our model (cf. Equation 3). The union

S

of these two categories is the overall state of our system (cf. Equation 4). Given a strategy with

n

actions, the state after performing the

i^{t h}

action, where

0 \leq

i \leq n

is denoted as

s_{i}

, with the initial state

s_{0}

.
我们将状态变量分为两类，即交易者状态和 DeFi 状态。

S^{T}

代表交易者的资产组合（参见公式 2）。

S^{DeFi}

是我们模型中所有 DeFi 操作的所有存储变量

T

读取和写入的集合（参见公式 3）。这两个类别的集合

S

就是我们系统的整体状态（参见等式 4）。给定一个具有

n

操作的策略，执行

i^{t h}

操作后的状态，其中

0 \leq

i \leq n

表示为

s_{i}

，初始状态为

s_{0}

。

\begin{matrix} S^{T} = {B^{T} (c) : \forall c \in C} \\ S^{DeFi} = \cup_{\forall a \in A} K^{T} (a) \\ S = S^{T} \cup S^{DeFi} \end{matrix}

E. Transitions E.过渡

Our state transition function is

F^{T} (s \in S, a \in A, x) \to S

, outputs the next state if action

a

with parameter

x

is performed on state

s

by trader

T

. Given a strategy with

n

actions, where

a_{i}

and

x_{i}

represents the

i^{th}

action and parameter
我们的状态转换函数是

F^{T} (s \in S, a \in A, x) \to S

，如果交易者

T

在状态

s

上执行了参数为

x

的行动

a

，则输出下一个状态。给定一个有

n

行动的策略，其中

a_{i}

和

x_{i}

表示

i^{th}

行动，参数为

Fig. 3: Technical design choices of DEFIPOSER. DEFIPOSER consists of three components: (1) a path pruning component; (2) a parameter search component, and (3) a strategy combination/execution component.
图 3：DEFIPOSER 的技术设计选择。DEFIPOSER 由三个部分组成：(1) 路径剪枝组件；(2) 参数搜索组件；(3) 策略组合/执行组件。
respectively, and

s_{i}

represents the state after the

i^{th}

action. Equation 5 shows the state transition process of this strategy, while Equation 6 computes the final state

s_{n}

when each action is sequentially applied to

s_{0}

.
和

s_{i}

分别表示

i^{th}

动作后的状态。等式 5 显示了该策略的状态转换过程，而等式 6 则计算了当每个操作依次应用于

s_{0}

时的最终状态

s_{n}

。

\begin{matrix} s_{i + 1} = F^{T} (s_{i}, a_{i + 1}, x_{i + 1}) \\ s_{n} = F^{T} (\dots F^{T} (F^{T} (s_{0}, a_{1}, x_{1}), a_{2}, x_{2}) \dots) \end{matrix}

F. Objective F.目标

We choose an asset

b \in C

as our base cryptocurrency asset. The objective of the trader

T

is to find a strategy, such that the balance of

b

(cf. Equation 7) is maximized, whereas the portfolio balances of the trader, except for

b

, remain the same.
我们选择一种资产

b \in C

作为基础加密货币资产。交易者

T

的目标是找到一种策略，使

b

的余额最大化（参见公式 7），而交易者的投资组合余额（除

b

外）保持不变。

\begin{array}{r} {maximise}_{p \in P} obj (s_{0}, p) = B_{n}^{T} (b) - B_{0}^{T} (b) \\ with constraints: B_{n}^{T} (c) = B_{i}^{T} (c), \forall c \in C ∖ b \end{array}

G. Base cryptocurrency asset
G. 基础加密货币资产

To identify revenue yielding paths, we make the assumption that the trader

T

operates in this work on a single base cryptocurrency asset. Naturally, this can be extended to multiple base currencies to increase potential financial results.
为了确定产生收益的路径，我们假设交易者

T

在本作品中操作的是单一基础加密货币资产。当然，这也可以扩展到多种基础货币，以增加潜在的财务成果。

H. DEFIPOSER Design Choices
H.DEFIPOSER 设计选择

Figure 3 shows the high-level design choices of the DEFIPOSER tools we present in this paper. DEFIPOSER consists of three components: (1), a pruning algorithm to filter potentially profitable paths; (2), a search algorithm which searches parameters to maximize the revenue of a given path, and (3) a strategy combination/execution algorithm, which decides how the found strategies are executed.
图 3 显示了我们在本文中介绍的 DEFIPOSER 工具的高层设计选择。DEFIPOSER 由三个部分组成：(1) 一种剪枝算法，用于过滤潜在的盈利路径；(2) 一种搜索算法，用于搜索参数，使给定路径的收益最大化；(3) 一种策略组合/执行算法，用于决定如何执行找到的策略。

Generally speaking, each instantiation of the different components bears its own advantages and disadvantages. For instance, negative cycle detection only searches cyclic paths, whereas pruning with heuristics can search for any path structure. Given a simple path such as a cyclic arbitrage, we find that local search is faster than the SMT solver (cf. Figure 12), but does not provide satisfiability proofs. In the following we present two variants of DEFIPOSER, namely DEFIPOSER-ARB (cf. Section IV) and DEFIPOSER-SMT (cf. Section V).
一般来说，不同组件的每个实例都有各自的优缺点。例如，负循环检测只能搜索循环路径，而启发式剪枝法可以搜索任何路径结构。对于循环套利这样的简单路径，我们发现局部搜索比 SMT 解算器更快（参见图 12），但不能提供可满足性证明。下面我们将介绍 DEFIPOSER 的两个变体，即 DEFIPOSER-ARB（参见第四节）和 DEFIPOSER-SMT（参见第五节）。

IV. Applying Negative Cycle Detection to DeFi Arbitrage
IV.将负周期检测应用于 DeFi 套利

Previous works propose negative cycle detection algorithms, such as the Bellman-Ford-Moore algorithm, to find arbitrage opportunities [18]. In these algorithms, the exchange markets are modeled as a directed weighted graph

(g)

. Every negative cycle in the graph then corresponds to an arbitrage opportunity.
之前的研究提出了负周期检测算法，如 Bellman-Ford-Moore 算法，以寻找套利机会 [18]。在这些算法中，交易所市场被建模为一个有向加权图

(g)

。图中的每个负周期都对应一个套利机会。

A. Negative Cycle Detection to Detect Arbitrage
A.检测套利的负循环检测法

We adopt the following notations to translate arbitrage detection into a negative cycle detection problem.
我们采用以下符号将套利检测转化为负循环检测问题。
Nodes: The set

N

denotes the collection of nodes. Each node (vertex) represents a different asset

(c \in C)

.
节点：集合

N

表示节点集合。每个节点（顶点）代表不同的资产

(c \in C)

。
Directed edges: The set

E

denotes the collection of all edges. An edge

e_{i, j}

that points from asset

c_{i}

c_{j}

represents that there exist a market where the trader

T

can sell cryptocurrency asset

c_{i}

to purchase cryptocurrency asset

c_{j}

.
有向边：集合

E

表示所有边的集合。从资产

c_{i}

指向

c_{j}

的边

e_{i, j}

表示存在这样一个市场，交易者

T

可以出售加密货币资产

c_{i}

以购买加密货币资产

c_{j}

。
Spot price: The spot price

p_{i, j}^{spot}

for edge

e_{i, j}

is the approximated best current price a trader

T

finds on all DeFi AMM markets, when selling an arbitrarily small amount (close to 0 ) of a cryptocurrency asset

c_{i}

to purchase

c_{j}

.
现货价格：边缘

e_{i, j}

的现货价格

p_{i, j}^{spot}

是交易者

T

在所有 DeFi AMM 市场上卖出任意少量（接近 0）的加密货币资产

c_{i}

以购买

c_{j}

时找到的当前最佳近似价格。
Arbitrage: A path

[c_{1} \overset{a_{1}}{\to} c_{2} \dots c_{k - 1} \to_{spot}^{a_{k - 1}} c_{k}]

consists an arbitrage opportunity, if

p_{1, 2}^{spot} \times \dots \times p_{k - 1, k}^{spot} > 1

.
套利：如果

p_{1, 2}^{spot} \times \dots \times p_{k - 1, k}^{spot} > 1

，路径

[c_{1} \overset{a_{1}}{\to} c_{2} \dots c_{k - 1} \to_{spot}^{a_{k - 1}} c_{k}]

包含套利机会。
Edge weight: To apply negative cycle detection algorithms, we use the negative

\log

of price

w_{i, j} = - \log (p_{i, j}^{spot})

as the weights for edge

e_{i, j}

. An arbitrage opportunity exists if

w_{1, 2} +

\dots + w_{i - 1, i} < 0

.
边缘权重：为了应用负循环检测算法，我们使用价格

w_{i, j} = - \log (p_{i, j}^{spot})

的负

\log

作为边

e_{i, j}

的权重。如果

w_{1, 2} +

\dots + w_{i - 1, i} < 0

，则存在套利机会。
Path finding: Our objective is to maximize

T

's base cryptocurrency asset. An arbitrage cycle, however, may not consist of the base asset. Therefore, we convert the arbitrage revenue to the base cryptocurrency asset by the end of the execution. More concretely, we find all ‘connecting’ markets that support the conversion between one of the arbitrage assets and the base cryptocurrency asset. We perform the conversion using the ‘connecting’ markets with the best price.
路径发现：我们的目标是最大化

T

的基础加密货币资产。但是，套利周期可能不包括基础资产。因此，我们在执行结束时将套利收入转换为基础加密货币资产。更具体地说，我们要找到所有支持在一种套利资产和基础加密货币资产之间进行转换的 "连接 "市场。我们使用价格最优的 "连接 "市场进行转换。

B. Negative Cycle Detection Algorithms
B.负循环检测算法

Negative cycle detection algorithms combine the shortest path algorithm with a cycle detection strategy. Cherkassky et al. [18] studied various combinations of shortest path algorithms (Bellman-Ford-Moore [8], [29], [51], Goldfarb-HaoKai [35], Goldberg-Radzik [33], etc.) and cycle detection strategies (Walk to the root, Admissible graph search [34],
负循环检测算法结合了最短路径算法和循环检测策略。Cherkassky 等人[18]研究了最短路径算法（Bellman-Ford-Moore [8]、[29]、[51]、Goldfarb-HaoKai [35]、Goldberg-Radzik [33]等）和循环检测策略（走到根、可容许图搜索 [34]）的各种组合、

Algorithm 1: Negative cycle arbitrage detection.
    Input:
    \(s_{0} \leftarrow\) Initial state \(;\) target \(\leftarrow\) Minimum revenue target
    Output: revenue \(_{\text {total }}\)
    \(s \leftarrow s_{0} ; g \leftarrow\) buildGraph \((N, E, s) ;\) revenue \(_{\text {total }} \leftarrow 0\)
    while hasNegativeCycle(g) do
        cycle \(\leftarrow\) getNegativeCycle(graph)
        \(p \leftarrow \operatorname{getPath}(\) cycle \()\)
        (revenue, \(s) \leftarrow \operatorname{search}(p)\)
        if revenue \(>\) target then
            revenue \(_{\text {total }} \leftarrow\) revenue \(_{\text {total }}+\) revenue
        end
        \(g \leftarrow \operatorname{buildGraph}(N, E, s)\)
    end
    return revenue \(_{\text {total }}\)
    Function buildGraph \((N, E, s \in S)\) is
        \# fetch the spot price for each \(e \in E\)
        \# build the graph \(g\); where \(w_{c_{i}, c_{j}}=-\log \left(p_{c_{i}, c_{j}}^{\text {spot }}\right)\)
        return \(g\)
    end
    Function hasNegativeCycle \((g)\) is
        return (Detects a negative cycle?)
    end
    Function getPath(cycle) is
        \(p \in P\) connects \(\mathbb{T}\) 's baseasset with cycle.
        return \(p\)
    end
    Function \(\operatorname{search}(p)\) is
        \# find the parameters for path \(p\)
        \(s^{\prime} \leftarrow\) state after executinng the strategy
        return (revenue, \(s^{\prime}\) )
    end

Subtree traversal [44], etc.) and compared their relative performances. A natural question is whether these cycle detection algorithms can be directly applied to find profitable transactions in DeFi.
子树遍历[44]等），并比较了它们的相对性能。一个自然而然的问题是，这些周期检测算法能否直接用于查找 DeFi 中有利可图的交易。

In bid-ask markets, the price does not change if the trade volume is within the bid/ask size [17]. DeFi AMM exchanges, however, follow a dynamic price based on the trade volume. Intuitively, the bigger the transaction size, the worse the trading price becomes. Hence, our algorithm needs to consider dynamic price changes and update the graph

g

after every action. On a high level, a Bellman-Ford-Moore inspired algorithm repeatedly performs the following steps: (i) Build the graph

g

based on the spot prices from the current state

s \in S

; (ii) Detect arbitrage cycles in the graph

g

(Bellman-FordMoore); (iii) Build a path based on the negative cycle, and find the strategy (parameters for the path), finally (iv) Execute the strategy and update the state

s

. Algorithm 1 presents the details of DEFIPOSER-ARB. To find the parameters for a path, Algorithm 1 gradually increases the amount of base assets into the path until there is no increase in revenue.
在买入价-卖出价市场，如果交易量在买入价/卖出价范围内，价格就不会改变[17]。然而，DeFi AMM 交易所根据交易量实行动态价格。直观地说，交易规模越大，交易价格越差。因此，我们的算法需要考虑动态价格变化，并在每次操作后更新图

g

。从高层次来看，受贝尔曼-福特-摩尔（Bellman-Ford-Moore）启发的算法会重复执行以下步骤：(i) 根据当前状态

s \in S

中的现货价格构建图

g

；(ii) 检测图

g

中的套利周期（Bellman-FordMoore）；(iii) 根据负周期构建路径，并找到策略（路径参数），最后 (iv) 执行策略并更新状态

s

。算法 1 介绍了 DEFIPOSER-ARB 的详细信息。为了找到路径参数，算法 1 逐步增加路径中的基础资产数量，直到收入不再增加。

We present DEFIPoser-ARB’s evaluation in Section VI.
我们将在第六节介绍对 DEFIPoser-ARB 的评估。

V. DESIGN OF DEFIPOSER-SMT
V.除颤器-SMT 的设计

In this section, we discuss an alternative technique, DEFIPOSER-SMT, to find profitable transactions in DeFi, which is more general when compared to DEFIPOSER-ARB.
在本节中，我们将讨论在 DeFi 中寻找盈利交易的另一种技术 DEFIPOSER-SMT，与 DEFIPOSER-ARB 相比，它更具通用性。

More specifically, DEFIPOSER-SMT can operate on noncyclic strategies, while DEFIPOSER-ARB cannot. We observe that profitable DeFi strategies do not necessarily form a complete cycle. For example, Figure 4 a shows the graph for the economic bZx attack (cf. Section VII). The strategy requires the trader to send Ether to edge 1 without receiving any assets in return and to then perform an arbitrage cycle with edge 2 and 3 .
更具体地说，DEFIPOSER-SMT 可以对非周期性策略进行操作，而 DEFIPOSER-ARB 则不行。我们发现，有利可图的 DeFi 策略并不一定会形成一个完整的循环。例如，图 4 a 显示了经济 bZx 攻击的图形（参见第七节）。该策略要求交易者向边缘 1 发送以太币，但不收取任何资产，然后与边缘 2 和 3 进行套利循环。

A. Choosing an SMT Solver for DEFIPOSER-SMT
A.为 DEFIPOSER-SMT 选择 SMT 仿真器

To overcome the aforementioned challenges of non-existent cycles, we chose to adopt a theorem prover for DEFIPOSERSMT’s (cf. Figure 1) design. The theorem prover logically formulates what a profitable strategy entails to locate concrete profitable instantiations. We perform systematic path exploration to determine if the model (cf. Section III) satisfies the provided requirements, similar to other model checking systems [13], [16], [36], [43], [45], [48], [56], [57].
为了克服上述不存在循环的难题，我们选择采用定理证明器来设计 DEFIPOSERSMT（参见图 1）。该定理证明器从逻辑上阐述了盈利策略的含义，从而找到具体的盈利实例。我们执行系统路径探索，以确定模型（参见第三节）是否满足所提供的要求，这与其他模型检查系统[13], [16], [36], [43], [45], [48], [56], [57]类似。

Our model requires the SMT solver (such as MathSat [14], Z3 [21], or Coral [54]) to support floating-point arithmetic because we adopt the theory of real numbers (cf. Section III). We encode the state transition model in three major steps: (i) Encode the initial state as a predicate; (ii) iteratively apply state transition actions, and encode the resulting states after each action as predicates. Then, (iii) convert the objective function into a set of constraints to ensure that the value of the trader portfolio increases by

Z

, and translate the constraints into predicates. Note that we rely on an optimization algorithm (cf. Algorithm 3) to find the highest possible

Z

. The optimization process requires solving the same SMT problem with different initializations of

Z

(cf. Appendix C for an example).
我们的模型要求 SMT 求解器（如 MathSat [14]、Z3 [21] 或 Coral [54]）支持浮点运算，因为我们采用的是实数理论（参见第三节）。我们分三大步骤对状态转换模型进行编码：(i) 将初始状态编码为谓词；(ii) 迭代应用状态转换动作，并将每次动作后的结果状态编码为谓词。然后，(iii) 将目标函数转换为一组约束条件，以确保交易者投资组合的价值增加

Z

，并将约束条件转换为谓词。请注意，我们依靠优化算法（参见算法 3）来找到可能的最高值

Z

。优化过程要求在求解相同的 SMT 问题时，对

Z

进行不同的初始化（示例参见附录 C）。

B. Path Pruning B.路径修剪

One bottleneck of model checking is the combinatorial path explosion problem. We, therefore, prune the paths by applying the following heuristics. Note that heuristics may prune profitable strategies, and DEFIPOSER-SMT is therefore only a best-effort tool.
模型检查的一个瓶颈是组合路径爆炸问题。因此，我们采用以下启发式方法对路径进行剪裁。请注意，启发式方法可能会剪除有利可图的策略，因此 DEFIPOSER-SMT 只是一种尽力而为的工具。
Heuristic 1: A profitable strategy must consist of more than one action. That is because, given an initial state

S_{0}

, a strategy with only one action will not increase the balance of the base cryptocurrency asset while keeping the balance of all other cryptocurrency assets unchanged.
启发式 1：盈利策略必须包含一个以上的操作。这是因为，在给定初始状态

S_{0}

的情况下，只有一个行动的策略不会增加基础加密货币资产的余额，同时保持所有其他加密货币资产的余额不变。
Heuristic 2: A strategy must start with a sequence of entering actions. An entering action is defined as any action which takes the base cryptocurrency asset as input.
启发式 2：策略必须从一连串进入行动开始。输入操作的定义是将基础加密货币资产作为输入的任何操作。
Heuristic 3: A strategy must end with a sequence of exiting actions. An exiting action is defined as any action that outputs the base cryptocurrency asset. Recall that the objective of the trader is to maximize the amount of base assets held.
启发式 3：策略必须以一系列退出操作结束。退出操作被定义为输出基础加密货币资产的任何操作。回顾一下，交易者的目标是最大化持有的基础资产数量。

Heuristic 4: Apart from the entering actions, an action must depend on at least one previous action. Conceptually, this is to avoid a strategy to contain actions that do not interact with any other actions. Given two actions

a_{i}, a_{j} \in A

, we define that

a_{i}

and

a_{j}

are independent actions, iff. there is no intersection
启发式 4：除了进入的行动，一个行动必须至少依赖于一个先前的行动。从概念上讲，这是为了避免策略中包含不与任何其他操作交互的操作。给定两个行动

a_{i}, a_{j} \in A

，我们定义

a_{i}

和

a_{j}

为独立行动，如果没有交集的话。
between

K^{T} (a_{i})

and

K^{T} (a_{j})

(cf. Equation 8). In other words, the execution of

a_{i}

does not affect the execution results of

a_{j}

, no matter what concrete state is given.
和

K^{T} (a_{j})

之间的关系（参见等式 8）。换句话说，无论给出什么具体状态，

a_{i}

的执行都不会影响

a_{j}

的执行结果。

a_{i} ⫫ a_{j} ⟺ K^{T} (a_{i}) \cap K^{T} (a_{j}) = \emptyset

Recall that

K (a)

denotes the set of smart contract storage variables an action

a

reads from and writes to, and

K^{T} (a)

denotes a subset of

K (a)

, which is relevant to the trader

T

. As an example of independence, we assume

a_{1}

transacts

c_{1}

c_{2}

using a constant product market

M 1

with liquidity

L 1^{c_{1}}

and

L 1^{c_{2}}

, and

a_{2}

transacts

c_{1}

c_{3}

using another constant product market

M 2

with liquidity

L 2^{c_{1}}

and

L 2^{c_{3}}

. Equation 9 shows the storage variables

a_{1}

and

a_{2}

reads from and writes to.

a_{1}

and

a_{2}

are not independent, as they both read/write variable

T . c_{1}

. Therefore, Heuristic 4 does not prune the path containing

a_{1}

and

a_{2}

.
回顾一下，

K (a)

表示操作

a

读取和写入的智能合约存储变量集，

K^{T} (a)

表示

K (a)

的子集，与交易者

T

相关。作为独立性的一个例子，我们假设

a_{1}

使用流动性为

L 1^{c_{1}}

和

L 1^{c_{2}}

的恒定产品市场

M 1

交易

c_{1}

到

c_{2}

，而

a_{2}

使用流动性为

L 2^{c_{1}}

和

L 2^{c_{3}}

的另一个恒定产品市场

M 2

交易

c_{1}

到

c_{3}

。等式 9 显示了存储变量

a_{1}

和

a_{2}

的读取和写入。

a_{1}

和

a_{2}

不是独立的，因为它们都读/写变量

T . c_{1}

。因此，启发式 4 不会剪切包含

a_{1}

和

a_{2}

的路径。

\begin{aligned} K^{T} (a_{1}) & = {M 1 . L 1^{c_{1}}, M 1 . L 1^{c_{2}}, T \cdot c_{1}, T \cdot c_{2}} \\ K^{T} (a_{2}) & = {M 2 . L 2^{c_{1}}, M 2 . L 2^{c_{3}}, T \cdot c_{1}, T \cdot c_{3}} \end{aligned}

Heuristic 5: An action cannot be immediately followed by another reversing action (i.e., a mirroring action) on the same DeFi market. For instance, if

a_{1}

transacts

c_{1}

c_{2}

, and

a_{2}

converts

c_{2}

c_{1}

on the same market, then heuristic 5 will prune all paths that contain

a_{1}, a_{2}

.
启发式 5：在同一 DeFi 市场上，一个操作之后不能立即出现另一个反向操作（即镜像操作）。例如，如果

a_{1}

在同一市场上将

c_{1}

交易到

c_{2}

，而

a_{2}

在同一市场上将

c_{2}

转换为

c_{1}

，那么启发式 5 将删除所有包含

a_{1}, a_{2}

的路径。
Heuristic 6: A path cannot include any branching. For example, a path of 5 actions

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{4}, c_{1} \overset{a_{3}}{\to} c_{3} \overset{a_{4}}{\to}

c_{4}, c_{4} \overset{a_{5}}{\to} c_{1}]

is composed of two paths,

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{4} \overset{a_{5}}{\to}

c_{1}

] and

[c_{1} \overset{a_{3}}{\to} c_{3} \overset{a_{4}}{\to} c_{4} \overset{a_{5}}{\to} c_{1}

] (cf. Figure 5a). In our work, we choose the more profitable path, and discard the other, because both paths affect the asset

c_{4}

. In a future work, it might be interesting to attempt to extract profit from both paths in an effort to maximize the revenue.
启发式 6：路径不能包含任何分支。例如，一条包含 5 个行动的路径

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{4}, c_{1} \overset{a_{3}}{\to} c_{3} \overset{a_{4}}{\to}

c_{4}, c_{4} \overset{a_{5}}{\to} c_{1}]

由两条路径

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{4} \overset{a_{5}}{\to}

c_{1}

] 和

[c_{1} \overset{a_{3}}{\to} c_{3} \overset{a_{4}}{\to} c_{4} \overset{a_{5}}{\to} c_{1}

] 组成（参见图 5a）。在我们的工作中，我们选择利润较高的路径，而放弃另一条路径，因为这两条路径都会影响资产

c_{4}

。在未来的工作中，尝试从两条路径中提取利润，努力实现收益最大化可能会很有趣。
Heuristic 7: A path must not include any loops. For example, a path

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{3} \overset{a_{3}}{\to} c_{2} \overset{a_{4}}{\to} c_{3} \overset{a_{5}}{\to} c_{1}]

consists of a loop between

c_{2}

and

c_{3}

. This path is composed of two subpaths, namely

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{3} \overset{a_{5}}{\to} c_{1}]

and

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{4}}{\to}

c_{3} \overset{a_{5}}{\to} c_{1}]

(cf. Figure 5b). We again chose the more profitable path, and discard the other for simplicity. We leave it to future work to optimize the potential gain.
启发式 7：路径不得包含任何循环。例如，路径

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{3} \overset{a_{3}}{\to} c_{2} \overset{a_{4}}{\to} c_{3} \overset{a_{5}}{\to} c_{1}]

包含

c_{2}

和

c_{3}

之间的循环。这条路径由两条子路径组成，即

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{2}}{\to} c_{3} \overset{a_{5}}{\to} c_{1}]

和

[c_{1} \overset{a_{1}}{\to} c_{2} \overset{a_{4}}{\to}

c_{3} \overset{a_{5}}{\to} c_{1}]

（参见图 5b）。为了简单起见，我们再次选择了利润较高的路径，而放弃了另一条路径。我们把优化潜在收益的工作留给了未来的工作。
The efficiency of path pruning can be evaluated across two dimensions: (i) the number of paths that are pruned, and, (ii) the reduction in revenue resulting from the heuristic pruning. To address the former, we show the reduction of the number of paths due to the heuristics in Table II and discuss these results further in Section VI-B. Regarding the latter, because we cannot quantify the optimal revenue due to the combinatorial explosion of the search space, we, unfortunately, see no avenue to quantify the reduction in revenue caused by the heuristics.
路径剪枝的效率可以从两个方面进行评估：(i) 被剪枝的路径数量；(ii) 启发式剪枝导致的收入减少。针对前者，我们在表 II 中显示了启发式方法减少的路径数量，并在第 VI-B 节中进一步讨论了这些结果。关于后者，由于搜索空间的组合爆炸，我们无法量化最优收益，因此我们无法量化启发式方法导致的收益减少。

C. DEFIPOSER-SMT Revenue Optimizer
C.DEFIPOSER-SMT 收入优化器

SMT solvers validate if any initialization of the free variables would satisfy the requirements defined. One requirement we specify is to increase the base cryptocurrency asset balance by a fixed amount. To find the maximum satisfiable revenue, we chose to use the following optimization algorithm (cf. Algorithm 3). At a high level, to identify a coarse upper and
SMT 求解器会验证自由变量的任何初始化是否满足所定义的要求。我们指定的一个要求是将基础加密货币资产余额增加一个固定数额。为了找到可满足的最大收益，我们选择使用以下优化算法（参见算法 3）。在高层次上，要确定一个粗略的上限和

Fig. 4: Directed weighted graph for the economic bZx attack on the Ethereum block 9, 462, 687. Shorting ETH for WBTC on bZx does not return assets to the trader

T

, and the action, therefore, does not point to any cryptocurrency assets. Graph 4 a has no arbitrage opportunity on the WBTC/ETH market

(0.0170 \times 44.1488 = 0.75 \leq 1)

. In Graph 4 b and 4 c , the weights change (ETH/WBTC price) after the trader increases the flow (in ETH) to the bZx market because bZx’s price depends on the Uniswap price. The graph is hence dynamic [15], i.e., the weights need to be updated after each action. The action encoding of DEFIPOSER-SMT models the bZx’s price dependence on Uniswap. Note that the bZx attack does not violate Heuristic 6, because action 1 does not return any asset nor forms a sub-path (cf. Figure 15).
图 4：针对以太坊区块 9，462，687 的经济 bZx 攻击的有向加权图。在 bZx 上用 ETH 做空 WBTC 并不会给交易者带来资产回报

T

，因此该操作不会指向任何加密货币资产。图 4 a 在 WBTC/ETH 市场上没有套利机会

(0.0170 \times 44.1488 = 0.75 \leq 1)

。在图 4 b 和 4 c 中，由于 bZx 的价格取决于 Uniswap 价格，因此在交易者增加流向 bZx 市场的（ETH）流量后，权重（ETH/WBTC 价格）会发生变化。因此，该图是动态的[15]，即每次行动后都需要更新权重。DEFIPOSER-SMT 的行动编码模拟了 bZx 对 Uniswap 价格的依赖性。请注意，bZx 攻击并不违反启发式 6，因为行动 1 不会返回任何资产，也不会形成子路径（参见图 15）。

Fig. 5: Example of branching and looping paths.
图 5：分支和循环路径示例。
lower revenue bound, this algorithm first attempts to solve, given multiples of 10 for the trader revenue. Given these bounds, we perform a binary search to find the optimal value.
对于收入下限，该算法首先尝试在交易者收入为 10 的倍数时求解。根据这些界限，我们进行二进制搜索，以找到最优值。

D. Comparing DEFIPOSER-SMT to DEFIPOSER-ARB
D.DEFIPOSER-SMT 与 DEFIPOSER-ARB 的比较

Table I summarizes our comparison between DEFIPOSERSMT and DEFIPOSER-ARB. While arbitrage opportunities appear plentiful, DEFIPOSER-ARB cannot capture non-cyclic transactions such as the bZx case. Because DEFIPoserSMT can encode any arbitrary strategy as an SMT problem, we argue that it is a more generic tool, as long as the underlying SMT solver can find a solution fast enough. We would like to stress again that both tools DEFIPOSERARB and DEFIPOSER-SMT do not provide optimal solutions. DEFIPOSER-ARB greedily searches for arbitrage and extracts revenue as each opportunity arises. To show that DEFIPOSERARB does not find optimal solutions, we provide the following example at block

9, 819, 643

. Here, DEFIPOSER-SMT finds two opportunities:
表 I 总结了我们对 DEFIPOSERSMT 和 DEFIPOSER-ARB 的比较。虽然套利机会似乎很多，但 DEFIPOSER-ARB 无法捕捉非周期性交易，如 bZx 案例。由于 DEFIPoserSMT 可以将任何任意策略编码为 SMT 问题，因此我们认为，只要底层 SMT 求解器能足够快地找到解决方案，它就是一个更通用的工具。我们想再次强调，DEFIPOSERARB 和 DEFIPOSER-SMT 这两个工具都不能提供最优解。DEFIPOSER-ARB 贪婪地寻找套利机会，并在每次机会出现时提取收益。为了说明 DEFIPOSERARB 没有找到最优解，我们在

9, 819, 643

区块提供了以下示例。在这里，DEFIPOSER-SMT 发现了两个机会：
Strategy

1 [E T H \overset{Bancor}{\to} B N T \overset{Bancor}{\to} M K R \overset{Uniswap}{\to}

E T H]

with 0.20 ETH of revenue.
策略

1 [E T H \overset{Bancor}{\to} B N T \overset{Bancor}{\to} M K R \overset{Uniswap}{\to}

E T H]

，收益为 0.20 ETH。

Strategy

2 [E T H \overset{Uniswap}{\to} B A T \overset{Bancor}{\to} B N T \overset{Bancor}{\to}

M K R \overset{Uniswap}{\to} E T H]

with 0.11 ETH of revenue. DEFIPOSER-SMT will only execute strategy 1. DEFIPOSERARB, however, finds and executes strategy 2 first to extract 0.11 ETH. After executing strategy 2 and updating the graph, strategy 1 is no longer profitable. Therefore, DEFIPOSERARB only extracts a revenue of 0.11 ETH in this block. Note that DEFIPOSER-SMT provides proof of satisfiable/unsatisfiable revenue targets for each considered path. However, DEFIPOSER-SMT remains a best-effort tool because the heuristics prune paths that may be profitable. Contrary to DEFIPOSER-ARB, DEFIPOSER-SMT does not merge paths.
策略

2 [E T H \overset{Uniswap}{\to} B A T \overset{Bancor}{\to} B N T \overset{Bancor}{\to}

M K R \overset{Uniswap}{\to} E T H]

，收益为 0.11 ETH。DEFIPOSER-SMT 只执行策略 1。然而，DEFIPOSERARB 会首先找到并执行策略 2，以提取 0.11 个 ETH。执行策略 2 并更新图之后，策略 1 不再有利可图。因此，DEFIPOSERARB 在这个区块中只提取了 0.11 ETH 的收益。请注意，DEFIPOSER-SMT 为每个考虑的路径提供了收入目标可满足/不可满足的证明。不过，DEFIPOSER-SMT 仍然是一个尽力而为的工具，因为启发式方法会剪除可能有利可图的路径。与 DEFIPOSER-ARB 相反，DEFIPOSER-SMT 不会合并路径。

E. Limitations E.限制条件

We elaborate on a few limitations of our work.
我们阐述了我们工作的一些局限性。
State dependency: In this study, we focus on block-level state dependencies (cf. Appendix G), i.e., we consider a state to only change when a new block is mined. In practice, a DeFi state can change several times within the same blockchain block (as several transactions can trade on a DeFi platform within a block). Our assumption hence may cause us to not consider potentially profitable trades. An alternative approach to study state dependency, which we leave to future work, is to perform a transaction-level analysis. Such an analysis would assume that the trader observes the peer-to-peer network layer of the Ethereum network. Based on the information of transactions in the memory pool (the pool of unconfirmed transactions), the transaction order and state changes in the next block could be estimated ahead of the block being mined.
状态依赖性：在本研究中，我们关注的是区块级的状态依赖性（参见附录 G），即我们认为只有在挖出新区块时状态才会发生变化。实际上，在同一个区块链区块内，DeFi 状态可能会发生多次变化（因为在一个区块内，DeFi 平台上可能会有多个交易）。因此，我们的假设可能会导致我们不考虑潜在的盈利交易。研究状态依赖性的另一种方法是进行交易层面的分析，这也是我们未来的工作方向。这种分析假设交易者观察以太坊网络的点对点网络层。根据内存池（未确认的交易池）中的交易信息，可以在区块被挖掘之前估计出下一个区块的交易顺序和状态变化。
Scalability: One problem of DEFIPOSER is the combinatorial path explosion. To mitigate this problem, heuristics reduce the path space, which only needs to be executed once. For every new block, DEFIPOSER can parallelize the parameter search process to find the most profitable paths. A limitation of negative cycle detection is that it has to search for negative cycles before starting to search parameters. The graph needs to be updated after executing every strategy. This is difficult to parallelize and limits the system’s real-time capability,
可扩展性：DEFIPOSER 的一个问题是组合路径爆炸。为缓解这一问题，启发式方法缩小了路径空间，只需执行一次。对于每一个新区块，DEFIPOSER 都能并行处理参数搜索过程，以找到最有利的路径。负循环检测的局限性在于，它必须在开始搜索参数之前搜索负循环。执行每个策略后都需要更新图。这很难实现并行化，并限制了系统的实时性、

	DEFIPOSER-ARB	DEFIPOSER-SMT
Path generation 路径生成	Bellman-Ford-Moore, Walk to the root; No acyclic paths 贝尔曼-福特-摩尔，走根式；无非循环路径	Pruning with heuristics; Any paths within the heuristics 用启发式方法剪枝；启发式方法内的任何路径
Path selection 路径选择	Combines multiple sub-paths 结合多个子路径	Selects the highest revenue path 选择最高收益路径
Manual DeFi modeling 手动 DeFi 建模	Not required 不需要	Required 需要
Captures non-cyclic strategies 捕捉非周期性战略	No 没有	Yes (e.g., bZx) 有（例如 bZx）
Optimally chosen parameters 最佳选择参数	No 没有	Yes (subject to inaccuracy of binary search) 是（取决于二进制搜索的不准确性）
Maximum Revenue 最高收入	81.31 ETH (32,524 USD) 81.31 eth（32,524 美元）	22.40 ETH (8,960 USD) 22.40 eth（8,960 美元）
Total Revenue (over 150 days) 总收入（150 天以上）	$4, 103.22$ ETH (1,641,288 USD) $4, 103.22$ 以太坊（1,641,288 美元）	$1, 552.32$ ETH (620,928 USD) $1, 552.32$ 以太坊（620,928 美元）
Lines of code (Python) 代码行数（Python）	300	2,300

TABLE I: High-level comparison between DEFIPOSER-ARB and DEFIPOSER-SMT.
表一：DEFIPOSER-ARB 和 DEFIPOSER-SMT 的高级比较。
especially when there are multiple negative cycles, or the cycle length is long.
尤其是当出现多个负循环或循环长度较长时。
Manual Modeling and Code Complexity: DEFIPOSERARB only needs to be aware of the spot price of each market and treats the underlying smart contracts and exchange protocols as a black box while greedily exploring opportunities. DEFIPOSER-SMT, however, requires the manual translation of the objective function into an SMT problem. This requires to encode the state transitions into a group of predicates (cf. Appendix C). The modeling process not only increases the code complexity (cf. Table I) but also causes inaccuracies in the found solutions and therefore requires a validation process through, e.g., concrete execution.
手动建模和代码复杂性：DEFIPOSERARB 只需了解每个市场的现货价格，并将底层智能合约和交换协议视为黑盒，同时贪婪地探索机会。然而，DEFIPOSER-SMT 需要手动将目标函数转换为 SMT 问题。这需要将状态转换编码为一组谓词（参见附录 C）。建模过程不仅会增加代码复杂度（参见表 I），还会导致找到的解决方案不准确，因此需要通过具体执行等方式进行验证。
Approximated Revenue: To avoid double-counting revenue when a profitable path exists over multiple blocks, we apply a state dependency analysis and only exploit paths with a state change (cf. Section G). However, DEFIPOSER’s reported revenue is not accurate because: (i) We work on historical blockchain states. In practice, the profitability of DEFIPOSER will be affected by the underlying blockchain’s network layer; (ii) For simplicity within this work, we assume that DEFIPOSER does not change other market participants’ behavior. In practice, other traders are likely to monitor our activity and adjust their trading strategy accordingly.
近似收益：为了避免在多个区块中存在盈利路径时重复计算收益，我们采用了状态依赖分析，只利用状态发生变化的路径（参见 G 节）。然而，DEFIPOSER 报告的收益并不准确，因为：(i) 我们根据历史区块链状态工作。在实践中，DEFIPOSER 的收益率会受到底层区块链网络层的影响；(ii) 为简化工作，我们假设 DEFIPOSER 不会改变其他市场参与者的行为。在实践中，其他交易者可能会监控我们的活动，并相应地调整他们的交易策略。
Multiple Traders: Within this work, we only consider a single trader using DEFIPOSER. Zhou et al. [61] simulated the outcome of competing transactions from several traders under a reactive counter-bidding strategy. We believe that those results translate over to MEV when multiple traders (specifically non-miners) compete over DEFIPOSER transactions. Zhou et al. [61]'s results suggest that the total revenue will be divided among the competing traders.
多个交易者：在本文中，我们只考虑了使用 DEFIPOSER 的单个交易者。Zhou 等人[61]模拟了多个交易者在反应式反竞价策略下竞争交易的结果。我们相信，当多个交易者（特别是非矿工）竞争 DEFIPOSER 交易时，这些结果会转化为 MEV。Zhou 等人[61]的研究结果表明，总收入将在相互竞争的交易者之间分配。

VI. EXPERIMENTAL EVALUATION
VI.实验评估

To query the Ethereum blockchain, we set up a full archive Geth

^{1}

node (i.e., a node which stores all intermediate blockchain state transitions) on a AMD Ryzen Threadripper 3990 X Processor (

4.3 GHz, 64

cores), 4x2 TB NVMe SSD RAID 0 and 256 GB RAM. We perform the concrete execution with a custom py-evm

^{2}

, which can fork the Ethereum blockchain at any given block height. To simplify our experimental complexity, we do not consider trades which yield
为了查询以太坊区块链，我们在 AMD Ryzen Threadripper 3990 X 处理器（

4.3 GHz, 64

内核）、4x2 TB NVMe SSD RAID 0 和 256 GB 内存上建立了一个完整归档的 Geth

^{1}

节点（即存储所有中间区块链状态转换的节点）。我们使用自定义 py-evm

^{2}

进行具体执行，它可以在任何给定的区块高度分叉以太坊区块链。为了简化实验的复杂性，我们不考虑产生以下结果的交易

below

0.10 ETH (40 USD)

and are aware that this potentially reduces the resulting financial gain.

0.10 ETH (40 USD)

，并意识到这可能会减少由此产生的财务收益。

We select 96 actions from the Uniswap, Bancor, and MakerDAO, with a total of 25 assets (cf. Table III and IV in Appendix). To enable action chaining, all considered assets trade on Uniswap and Bancor, while SAI and DAI are convertible on MakerDAO. The total value of assets on the three platforms sums up to 3.3 billion USD, which corresponds to

82 %

of the total USD value locked in DeFi as of May 2020.
我们从 Uniswap、Bancor 和 MakerDAO 中选择了 96 种行为，共涉及 25 种资产（参见附录中的表 III 和表 IV）。为了实现行为链，所有考虑的资产都在 Uniswap 和 Bancor 上交易，而 SAI 和 DAI 可在 MakerDAO 上转换。这三个平台上的资产总值达 33 亿美元，相当于 2020 年 5 月锁定在 DeFi 中的美元总值的

82 %

。

Both DEFIPOSER-ARB and DEFIPOSER-SMT apply dependency-based state reduction. Stationary blockchain states are identified and skipped to avoid redundant computation and double counting of revenue.
DEFIPOSER-ARB 和 DEFIPOSER-SMT 都采用了基于依赖性的状态缩减技术。静态区块链状态会被识别并跳过，以避免冗余计算和重复计算收入。

A. DEFIPOSER-ARB A.DEFIPOSER-ARB

We translate the 25 assets and 96 actions into a graph with 25 nodes and 94 edges. Each node in the graph represents a cryptocurrency asset. For each edge

e_{i, j}

pointing from asset

c_{i}

c_{j}

, we find all markets with asset

c_{i}

as input, and output asset

c_{j}

. Each edge’s weight is derived using the highest price found among all supporting markets, or 0 if there is no market. We then follow Algorithm 1 to greedily extract arbitrage revenue as soon as one negative cycle is found. We use the BFCF (Bellman-Ford-Moore, Walk to the root) algorithm to find negative cycles, which operates in

O (| N^{2} | \cdot | E |)

. For each arbitrage opportunity, DEFIPOSER-ARB gradually increases the input parameter (amount of base cryptocurrency asset) until the revenue ceases to increase.
我们将 25 种资产和 96 种行为转化为一个有 25 个节点和 94 条边的图。图中的每个节点代表一种加密货币资产。对于从资产

c_{i}

指向

c_{j}

的每条边

e_{i, j}

，我们都会找到以资产

c_{i}

作为输入的所有市场，并输出资产

c_{j}

。每条边的权重使用在所有支持市场中找到的最高价格，如果没有市场，则权重为 0。然后，一旦发现一个负循环，我们就按照算法 1 贪婪地提取套利收益。我们使用 BFCF（Bellman-Ford-Moore，Walk to the root）算法来寻找负循环，该算法在

O (| N^{2} | \cdot | E |)

中运行。对于每个套利机会，DEFIPOSER-ARB 都会逐渐增加输入参数（基础加密货币资产的数量），直到收入不再增加。

B. DEFIPOSER-SMT B.DEFIPOSER-SMT

We translate DeFi states into Z3 [21] as constraints on state symbolic variables (cf. Section III). We symbolically encode all variables using floats instead of integers because the EVM only supports integers. Most DeFi smart contracts express floats as integers by multiplying floats with a large factor. Division and power are, therefore, estimated using integer math. This practice may introduce a bias in our state and transition functions. Due to such model inaccuracies, we proceed to concrete execution (i.e., real-world smart contract execution on the EVM) to avoid false positives and validate our result.
我们将 DeFi 状态转化为 Z3 [21]，作为状态符号变量的约束条件（参见第三节）。我们使用浮点数而非整数对所有变量进行符号编码，因为 EVM 只支持整数。大多数 DeFi 智能合约通过将浮点数乘以一个大系数，将浮点数表示为整数。因此，除法和幂是使用整数数学来估算的。这种做法可能会给我们的状态和转换函数带来偏差。由于这种模型的不准确性，我们开始具体执行（即在 EVM 上执行真实世界的智能合约），以避免误报并验证我们的结果。

An exhaustive search over the total action space is infeasible. Therefore, we apply path pruning (cf. Section V-B) to discard irrelevant paths.
对整个行动空间进行穷举搜索是不可行的。因此，我们采用路径剪枝（参见第 V-B 节）来舍弃无关路径。
Path Discovery and Pruning: The 96 DeFi actions (cf. Table IV in Appendix) result in

9.92 \times 10^{149}

possible paths
路径发现和剪枝：96 个 DeFi 操作（参见附录中的表 IV）会产生

9.92 \times 10^{149}

条可能的路径

Path length 路径长度	Before 之前	After 之后
2	9,120	2
3	857,280	90
4	$79, 727, 040$	466
5	$7, 334, 887, 680$	42
Total 总计	$7, 415, 481, 120$	600

TABLE II: Results of path pruning after applying the heuristics from Section V-B. In total, 600 paths remain, with the majority

(77.67 %)

consisting of 4 actions. For each path length, the heuristics remove at least

99.98 %

of the strategies.
表二：应用第 V-B 节启发式方法后的路径剪枝结果。总共保留了 600 条路径，其中大部分

(77.67 %)

由 4 个行动组成。对于每种长度的路径，启发式方法都会删除至少

99.98 %

个策略。

Fig. 6: We consider each blockchain block as an independent state representation of the DeFi platform markets. Only if a DeFi market changes in state, we need to re-engage the SMT solver for the affected paths only.
图 6：我们将每个区块链区块视为 DeFi 平台市场的独立状态表示。只有当 DeFi 市场的状态发生变化时，我们才需要为受影响的路径重新启动 SMT 求解器。
without repeating actions, which is an impractical space to evaluate. Table II hence illustrates the impact of our heuristics on paths of various lengths. We observe a significant reduction of at least

99.98 %

per path length of the total number of considered paths, resulting in only 600 remaining paths. The majority of paths (

77.67 %

) consist of 4 actions, while the shortest paths count 2 actions, and the longest 5 actions. Although we do not enforce a constraint on the maximum number of actions, all paths with more than 5 actions failed to pass our heuristics.
而不重复操作，这是一个不切实际的评估空间。因此，表 II 说明了我们的启发式方法对不同长度路径的影响。我们观察到，在所考虑的路径总数中，每条路径的长度至少减少了

99.98 %

，因此只剩下 600 条路径。大多数路径（

77.67 %

）由 4 个操作组成，而最短路径包含 2 个操作，最长路径包含 5 个操作。虽然我们并没有对动作的最大数量进行限制，但所有超过 5 个动作的路径都未能通过我们的启发式计算。
Action Dependency: In the following, we present a concrete example of determining the dependency between two actions. The first action

a_{Uniswap}

transacts ETH to SAI using the Uniswap SAI market. The second action

a_{Bancor}

transacts BNT to SAI using the Bancor SAI contract. Equation 10 and Equation 11 show the relevant storage variables, respectively. These two actions are not independent, as they both modify the trader’s balance in the SAI contract.
行动依赖性下面，我们将举例说明如何确定两个操作之间的依赖关系。第一个操作

a_{Uniswap}

使用 Uniswap SAI 市场将 ETH 交易为 SAI。第二个操作

a_{Bancor}

使用 Bancor SAI 合约将 BNT 交易为 SAI。等式 10 和等式 11 分别显示了相关的存储变量。这两个操作并不是独立的，因为它们都会改变交易者在 SAI 合约中的余额。

\begin{aligned} K^{T} (a_{Uniswap}) = { & < UniswapSAI > . ETH \\ < SAI > . balance of UniswapSAI \\ < Trader > . ETH \\ < SAI > . balance of trader} \\ K^{T} (a_{Bancor}) = { & < BNT > .balance of BancorSAI \\ < SAI > .balance of BancorSAI \\ < BNT > .balance of trader \\ < SAI > . balance of trader} \end{aligned}

Dependency-based Blockchain State Reduction: If a DeFi state does not change across a number of blockchain blocks, the same SMT solver computation is not re-engaged (cf.
基于依赖性的区块链状态还原：如果 DeFi 状态在多个区块链区块之间没有变化，则不会重新启用相同的 SMT 求解器计算（参见《区块链技术》第 3.3 节）。

Figure 6). Algorithm 2 specifies the algorithm we apply to automate the dependency-based blockchain state reduction. Figure 15 in the Appendix shows a timeline analysis of the state dependencies for all considered assets. We observe that ETH experiences the most state changes with over 950,000 blocks (

36.76 %

), followed by DAI (

14.62 %

).
图 6）。算法 2 规定了我们用于自动进行基于依赖性的区块链状态还原的算法。附录中的图 15 显示了所有考虑资产的状态依赖性时间线分析。我们发现，ETH 的状态变化最多，超过 950,000 个区块（

36.76 %

），其次是 DAI（

14.62 %

）。

Algorithm 2: Block state dependency analysis.
    Input:
    \(p=\left(a_{1}, a_{2}, \ldots\right) \in P \leftarrow\) Path \(; b \leftarrow\) Block number
    Output: Has a state change
    foreach \(a \in p\) do
        foreach \(s \in \mathcal{K}^{\mathbb{T}}(a)\) do
            if \(\operatorname{fetch}(s, b) \neq \operatorname{fetch}(s, b-1)\) then
                    return True
                end
            end
    end
    return False
    Function \(\operatorname{fetch}(s, b)\) is
        return (Concrete value for storage variable address \(s\) on
            block b)
    end

C. DEFIPOSER-ARB and DEFIPoSER-SMT: Revenue
C.DEFIPOSER-ARB 和 DEFIPOSER-SMT：收入

We validate both DEFIPOSER designs on past blockchain data from block

9, 100, 000

to block

10, 050, 000

, over a total of 150 days. We visualize the distribution of traders’ revenue for DEFIPOSER-SMT in Figure 8. DEFIPOSERSMT found 13,317 strategies consisted of 2 to 5 actions. In total DEFIPOSER-SMT yields a total of

1, 552.32 ETH

(620,928 USD), and we observe that the most profitable strategies consist of 3 actions, where the highest revenue yielded amounts to 22.40 ETH ( 8,960 USD). Similarly, Figure 9 visualizes the distribution of traders’ revenue for DEFIPOSER-ARB. Recall that DEFIPOSER-ARB greedily combine multiple paths into a single strategy. We observe that the revenue increases as the number of paths increases, with the highest revenue amounting to 81.31 ETH (32,524 USD). In total, DEFIPOSER-ARB finds 2, 709 strategies and yields

4, 103.22

ETH (

1, 641, 288

USD).
我们在从区块

9, 100, 000

到区块

10, 050, 000

，共计 150 天的过去区块链数据上验证了这两种 DEFIPOSER 设计。我们在图 8 中展示了 DEFIPOSER-SMT 的交易者收入分布情况。DEFIPOSERSMT 发现有 13,317 个策略包含 2 到 5 个操作。DEFIPOSER-SMT 总共产生了

1, 552.32 ETH

（620,928 美元），我们观察到最赚钱的策略由 3 个操作组成，其中产生的最高收入为 22.40 ETH（8,960 美元）。同样，图 9 显示了 DEFIPOSER-ARB 的交易者收入分布情况。回顾一下，DEFIPOSER-ARB 贪婪地将多条路径组合成单一策略。我们发现，随着路径数量的增加，收益也在增加，最高收益达到 81.31 个以太坊（32524 美元）。DEFIPOSER-ARB 总共找到了 2 709 个策略，收益为

4, 103.22

以太坊（

1, 641, 288

美元）。
We visualize in Figure 7 the revenue generated by DEFIPOSER-SMT and DEFIPOSER-ARB as a function of the initial capital. If a trader owns the base asset (e.g., ETH), most strategies require less than 150 ETH . Only 10 strategies require more than 100 ETH for DEFIPOSER-SMT, and only 7 strategies require more than 150 ETH for DEFIPOSER-ARB. This capital requirement is reduced to less than 1.00 ETH (400 USD) when using flash loans (cf. Figure 7 (b, d)).
图 7 显示了 DEFIPOSER-SMT 和 DEFIPOSER-ARB 所产生的收益与初始资本的函数关系。如果交易者拥有基础资产（如 ETH），大多数策略所需的资金少于 150 ETH。只有 10 个策略的 DEFIPOSER-SMT 需要 100 个以太坊以上，只有 7 个策略的 DEFIPOSER-ARB 需要 150 个以太坊以上。在使用闪贷时，这一资本要求降至 1.00 ETH（400 美元）以下（参见图 7（b，d））。

Figure 10a shows how our concrete execution validation over 150 days yields consistent revenue for both tools. The concrete execution estimates a weekly revenue of 191.48 ETH (76,592 USD) for DEFIPOSER-ARB and 72.44 ETH ( 28,976 USD) for DEFIPOSER-SMT. For DEFIPOSER-SMT, our validation estimates a total revenue
图 10a 显示了我们在 150 天内的具体执行验证如何为两个工具带来一致的收入。具体执行估计，DEFIPOSER-ARB 的每周收入为 191.48 个以太坊（76,592 美元），DEFIPOSER-SMT 的每周收入为 72.44 个以太坊（28,976 美元）。对于 DEFIPOSER-SMT，我们的验证估计其总收入为

Fig. 7: Revenue as a function of the initial capital, in ETH with and without flash loans for DEFIPOSER-ARB (total of 2, 709 found strategies) and DEFIPOSER-SMT (total of 1,556 found strategies).
图 7：DEFIPOSER-ARB（共找到 2 709 个策略）和 DEFIPOSER-SMT（共找到 1 556 个策略）的收入与初始资本的函数，以 ETH 为单位，有无闪存贷款。

Fig. 8: Analytical distribution of the trader’s revenue. The majority of the most profitable strategies consist of 3 actions. Because DEFIPOSER-SMT requires manual modeling, the revenues discovered by

Z 3

are not accurate, and thus the number of discovered strategies (yellow) are less than the profitable strategies (blue). We use concrete execution to validate the strategies from Z .
图 8：交易者收益的分析分布。大多数最赚钱的策略由 3 个操作组成。由于 DEFIPOSER-SMT 需要手动建模，

Z 3

发现的收益并不准确，因此发现的策略（黄色）少于盈利策略（蓝色）。我们使用具体执行来验证来自 Z 的策略。
of

1, 552.32 ETH (620, 928

USD) out of

3, 577.14 ETH

(1, 430, 856

USD) (i.e.,

40 %

of the Z 3 indicated revenue is validated in practice).
b0>美元）中的

3, 577.14 ETH

(1, 430, 856

美元）（即 Z 3 所示收入中的

40 %

在实践中得到验证）。
Cost Analysis: The trader’s principal costs are the blockchain transaction fees (e.g., gas in Ethereum), which remain below the revenue yielded by the strategies we validated (cf. Figure 11). Note that a trading strategy may fail if the underlying market state changes before its execution. Therefore, we assume that the trader adopts the gas price of 32 GWei, which is highly volatile, but the recommended fast transaction gas price at the time of writing. Summarizing, the execution of all strategies costs less than 0.05 ETH , which warrants all strategies to be profitable.
成本分析：交易者的主要成本是区块链交易费（如以太坊的天然气），该成本仍低于我们验证的策略所产生的收益（参见图 11）。请注意，如果基础市场状态在交易策略执行前发生变化，交易策略可能会失败。因此，我们假设交易者采用 32 GWei 的天然气价格，该价格波动很大，但在撰写本文时是推荐的快速交易天然气价格。总之，所有策略的执行成本都低于 0.05 ETH，这保证了所有策略都有利可图。
Performance Analysis: Our tools must find trades within the average Ethereum block time of

13.5 \pm 0.12

seconds [9] to be applicable in real-time. Assuming a network propaga-
性能分析：我们的工具必须在以太坊平均区块时间

13.5 \pm 0.12

秒[9]内找到交易，这样才能实时应用。假定网络传播时间为

13.5 \pm 0.12

秒[9]。

Fig. 9: Distribution of the trader’s revenue using DEFIPOSERARB. We observe that the revenue increases as the number of paths increases. We also visualize the distribution of the most profitable sub-path (orange) for every strategy. Intuitively, the more paths DEFIPOSER-ARB try to combine, the higher the revenue.
图 9：使用 DEFIPOSERARB 的交易者收益分布。我们可以看到，随着路径数量的增加，收益也在增加。我们还可以看到每种策略中最有利可图的子路径（橙色）的分布情况。直观地说，DEFIPOSER-ARB 尝试组合的路径越多，收益就越高。
tion latency of roughly three seconds towards miners in the blockchain P2P network [22], our tools must generate transactions within at most 10.5 seconds. Figure 12 shows the detailed execution speed of DEFIPOSER-ARB and DEFIPOSERSMT on an AMD Ryzen Threadripper 3990 X Processor (

4.3 GHz, 64

cores) CPU. For new block states, we measure a total average computing time of 6.43 seconds and 5.39 seconds per block, respectively.
在区块链 P2P 网络[22]中，矿工的交易延迟大约为 3 秒，而我们的工具必须在最多 10.5 秒内生成交易。图 12 显示了 DEFIPOSER-ARB 和 DEFIPOSERSMT 在 AMD Ryzen Threadripper 3990 X 处理器（

4.3 GHz, 64

内核）CPU 上的详细执行速度。对于新块状态，我们测得每个块的总平均计算时间分别为 6.43 秒和 5.39 秒。

We further group the strategies detected by DEFIPOSERARB based on the number of negative cycles and compare the respective analysis time (cf. Figure 13). We find that DEFIPOSER-ARB exceeds our estimated time limit (13.5

3 = 10.5

seconds) when exploiting more than 6 cycles. The higher the total number of negative cycles, the more likely DEFIPOSER-ARB misses the most profitable opportunity.
我们进一步根据负循环的数量对 DEFIPOSERARB 检测到的策略进行分组，并比较各自的分析时间（参见图 13）。我们发现，当利用超过 6 个周期时，DEFIPOSER-ARB 超过了我们估计的时间限制（13.5

3 = 10.5

秒）。负循环总数越多，DEFIPOSER-ARB 就越有可能错过最有利可图的机会。

(a) Cumulative revenue over time ( 150 days), found by DEFIPOSER-SMT and DEFIPOSER-ARB, and validated via concrete execution.
(a) 由 DEFIPOSER-SMT 和 DEFIPOSER-ARB 发现并通过具体执行验证的 150 天累计收入。

Fig. 10: Revenue and transaction fees analysis over time, measured in blocks.
图 10：以区块为单位的收入和交易费用长期分析。

VII. Profitable Transactions and BlocKchain SECURITY
VII.盈利交易和 BlocKchain 安全性

In this section, we show that DEFIPOSER-SMT is capable of identifying the economic bZx attack from February 2020 [53] and provide forensic insights into the event. Given optimal adversarial strategies provided by an MDP, we then quantify whether an MEV opportunity will cause a rational miner to create a blockchain fork.
在本节中，我们将展示 DEFIPOSER-SMT 能够识别 2020 年 2 月的经济型 bZx 攻击[53]，并提供对该事件的取证见解。鉴于 MDP 提供的最优对抗策略，我们将量化 MEV 机会是否会导致理性矿工创建区块链分叉。

A. Economic bZx Attack A.经济型 bZx 攻击

On the 15th of February, 2020, a trader performed a pump and arbitrage attack on the margin trading platform

{bZx}^{3}

. The core of this trade was a pump and arbitrage involving four DeFi platforms atomically executed in one single transaction. As a previous study shows, this trade resulted in in

4, 337.62

ETH (

1, 735, 048

USD) loss from bZx loan providers, where the trader gained

1, 193.69

ETH (477,476 USD) in total [53].
2020 年 2 月 15 日，一名交易员在保证金交易平台

{bZx}^{3}

上进行了一次抽水套利攻击。这次交易的核心是抽水套利，涉及四个 DeFi 平台，在一次交易中以原子方式执行。正如之前的研究所示，这次交易导致 bZx 贷款提供者损失了

4, 337.62

ETH（

1, 735, 048

美元），而交易者总共获得了

1, 193.69

ETH（477,476 美元）[53]。
Attack Window: To gain deeper insights into this DeFi composability event, we extend DEFIPOSER-SMT with two additional actions: (i) borrow WBTC with ETH on compound finance; (ii) short ETH for WBTC on bZx. We replayed DEFIPOSER-SMT on historical blockchain data by starting at the creation of the bZx’s margin short smart contract (cf. Figure 16). Surprisingly, the bZx attack window lasted for 69 days until it was openly exploited. DEFIPOSER-SMT finds that the attack yielded the highest revenue of

2, 291.02 ETH

攻击窗口：为了深入了解 DeFi 可合成性事件，我们对 DEFIPOSER-SMT 进行了扩展，增加了两个操作：(i) 在复合金融上用 ETH 借入 WBTC；(ii) 在 bZx 上用 ETH 做空 WBTC。我们从创建 bZx 的保证金做空智能合约开始，在历史区块链数据上重放了 DEFIPOSER-SMT（参见图 16）。令人惊讶的是，bZx 的攻击窗口持续了 69 天，直到它被公开利用。DEFIPOSER-SMT 发现，该攻击产生的最高收入为

2, 291.02 ETH

。

(916,408 USD) at block

9, 482, 670

, which is about one day before the attack occurred.
(

9, 482, 670

区块（916 408 美元），这大约是攻击发生前一天。

B. MEV, an MDP and Optimal Adversarial Strategies
B.MEV、MDP 和最优对抗策略

The economic bZx attack revenue exceeds the average Ethereum block reward

^{4}

by a factor of

874 \times

. After bZx , the other most profitable validated strategies found by DEFIPOSER-ARB and DEFIPOSER-SMT exceed the block reward by a factor of

31 \times

and

8.5 \times

respectively. In this section, we quantify the value at which an MEV-aware miner would exploit an MEV opportunity by forking the blockchain.
bZx 攻击的经济收入比以太坊的平均区块奖励

^{4}

高出

874 \times

倍。在 bZx 之后，DEFIPOSER-ARB 和 DEFIPOSER-SMT 发现的其他最有利可图的验证策略的区块奖励分别超出

31 \times

和

8.5 \times

倍。在本节中，我们将量化 MEV 感知矿工通过分叉区块链利用 MEV 机会的价值。
Markov Decision Process: A Markov Decision Process is a single-player decision process that allows identifying the optimal strategies for an encoded decision problem. In this work, we adopt the state transition and reward matrix of the PoW double-spending MDP of Gervais et al. [31]. Note that the MDP we use does not consider uncle rewards.
马尔可夫决策过程马尔可夫决策过程是一种单人决策过程，可以为编码决策问题找出最优策略。在这项工作中，我们采用了 Gervais 等人[31]的 PoW 双花 MDP 的状态转换和奖励矩阵。需要注意的是，我们采用的 MDP 不考虑叔奖励。

We observe that conceptually, an MEV opportunity is equivalent to a double-spending opportunity: if an MEV opportunity is mined by an honest miner, and an adversarial miner aims to claim the MEV opportunity, the MEV miner will need to outrun the honest chain with a fork. The MEV miner will hence want to follow the optimal adversarial strategies given by the MDP, which advises whether to fork or not to fork the blockchain depending on the MEV value.
我们注意到，从概念上讲，MEV 机会等同于双重消费机会：如果诚实矿工挖出了 MEV 机会，而敌对矿工想要获得 MEV 机会，那么 MEV 矿工就需要分叉来超越诚实链。因此，MEV 挖矿者希望遵循 MDP 提供的最优对抗策略，MDP 会根据 MEV 值建议是否分叉区块链。
Threat Model: We assume a rational and computationally bounded adversary. Because MDP’s are single-player decision problems, we assume the existence of only one adversarial
威胁模型：我们假设有一个理性且计算能力有限的对手。由于 MDP 是单人决策问题，我们假设只存在一个对手

Fig. 11: Distribution of revenue and transaction cost based on concrete execution on the EVM for DEFIPOSER-SMT and DEFIPOSER-ARB. The revenue outpaces the transaction costs, which are higher for DEFIPOSER-ARB because the found strategies often consist of more cycles (arbitrage opportunities).
图 11：基于 DEFIPOSER-SMT 和 DEFIPOSER-ARB 的 EVM 具体执行的收入和交易成本分布。收入超过交易成本，DEFIPOSER-ARB 的交易成本更高，因为找到的策略通常包含更多的周期（套利机会）。

Fig. 12: Analysis time distribution to detect a profitable strategy on DEFIPoSER-SMT and DEFIPOSER-ARB. For most strategies the search and validation process remains below the average Ethereum block time of

13.5 \pm 0.12

seconds.
图 12：在 DEFIPoSER-SMT 和 DEFIPOSER-ARB 上检测盈利策略的分析时间分布。对于大多数策略来说，搜索和验证过程的时间都低于以太坊区块的平均时间

13.5 \pm 0.12

秒。
miner willing to exploit MEV. We parametrize the miner with a hash rate

α \in] 0, 0.5

[, while the remaining non-MEV miners have a hash rate of

1 - α

. We ignore the existence of eclipse attacks

(ω = 0)

and assume the weakest possible network propagation parameter of the adversary

(γ = 0)

. We parametrize the MDP with the stale block rate of the Ethereum blockchain at the time of writing. By crawling the number of uncle blocks (from the block 9.1 M to 10.5 M ), we approximate the stale block rate to

r_{s} = 5.72 %

. We set the mining costs to match the hash rate of the MEV miner

(c_{m} = α)

.
愿意利用 MEV 的矿工。我们假设该矿工的哈希率为

α \in] 0, 0.5

[，而其余非 MEV 矿工的哈希率为

1 - α

。我们忽略日蚀攻击

(ω = 0)

的存在，并假设对手的网络传播参数为最弱参数

(γ = 0)

。我们用撰写本文时以太坊区块链的陈旧区块率对 MDP 进行参数化。通过抓取叔叔区块的数量（从 9.1 M 到 10.5 M），我们将陈旧区块率近似为

r_{s} = 5.72 %

。我们将挖矿成本设置为与 MEV 矿工的哈希率

(c_{m} = α)

匹配。

Fig. 13: The analysis time of DEFIPOSER-ARB exceeds our estimated time limit (taking into consideration block time and transaction network propagation to miners), when DEFIPOSER-ARB exploits more than 6 cycles.
图 13：当 DEFIPOSER-ARB 利用超过 6 个周期时，DEFIPOSER-ARB 的分析时间超过了我们估计的时间限制（考虑到区块时间和交易网络传播到矿工的时间）。

Exploit or not exploit MEV? Each time an MEV opportunity arises on the network layer, we assume that the honest miner succeeds in mining the MEV opportunity, and the MEV miner fails to receive the reward initially. The MEV miner, therefore, needs to decide whether to start to mine on a private chain, where he claims the MEV opportunity. Note that the MDP’s exit state can only be reached when the MEV miner mined a private chain that is longer than the honest chain

(l_{a} > l_{h})

given

k = 1 (l_{a} > k)

. Depending on the MEV value, the optimal strategy

π

might advise against forking the chain to attempt to claim the MEV reward. We quantify the minimal MEV value

M E V_{v}

, such that

M E V_{v}

is strictly larger than the reward from honest mining (cf. Equation 13). We denote

h

is the process of mining honestly.
开发还是不开发 MEV？每次网络层出现 MEV 机会时，我们假设诚实矿工成功挖掘到 MEV 机会，而 MEV 矿工最初未能获得奖励。因此，MEV 矿工需要决定是否开始在私有链上挖矿，并在私有链上获得 MEV 机会。请注意，只有当 MEV 挖矿者挖出的私有链比给定

k = 1 (l_{a} > k)

的诚实链

(l_{a} > l_{h})

更长时，才能达到 MDP 的退出状态。根据 MEV 值的不同，最优策略

π

可能会建议不要分叉链来获取 MEV 奖励。我们量化最小 MEV 值

M E V_{v}

，使

M E V_{v}

严格大于诚实挖矿的奖励（参见公式 13）。我们表示

h

是诚实挖矿的过程。

P = (α, γ, r_{s}, k, ω, c_{m})

M E V_{v} = min {M E V_{v} ∣ \exists π \in A : R (π, P, M E V_{v}) > R (h, P)}

To solve the MEV MDP for the optimal strategies, we use the code of

[31]^{5}

and reparametrize given the current Ethereum stale block rate (

r_{s} = 5.72 %

). We further set

k = 1, γ = 0

ω = 0

and the cut-off value (the maximum length of

l_{a}

and

l_{h}

) to 20 blocks. Similar to [31], we apply a binary search to find the lowest value for

M E V_{v}

in units of block rewards, given a margin of error of 0.1 .
为了求解最优策略的 MEV MDP，我们使用

[31]^{5}

的代码，并根据当前的以太坊陈旧区块率 (

r_{s} = 5.72 %

) 进行重新参数化。我们进一步将

k = 1, γ = 0

、

ω = 0

和截止值（

l_{a}

和

l_{h}

的最大长度）设置为 20 个区块。与 [31] 类似，我们采用二进制搜索，在误差率为 0.1 的情况下，找到以块奖励为单位的

M E V_{v}

的最低值。
Results: We visualize our findings in Figure 14, which shows that for an MEV miner with

10 %

hash rate, on Ethereum (stale block rate of

5.72 %

M E V_{v}

equals to 4 . We conclude that in this case, if an MEV opportunity yields at least a reward that is 3 times higher than the block reward, then an MEV miner which follows the optimal strategies will fork the blockchain. A fork of the blockchain deteriorates the blockchain’s security as it increases the risks of doublespending and selfish mining [31].
结果我们在图 14 中直观地展示了我们的研究结果，图 14 显示，对于以太坊上哈希率为

10 %

的 MEV 矿工（陈旧区块率为

5.72 %

），

M E V_{v}

等于 4。我们的结论是，在这种情况下，如果 MEV 机会产生的奖励至少是区块奖励的 3 倍，那么遵循最优策略的 MEV 矿工将分叉区块链。区块链的分叉会恶化区块链的安全性，因为它会增加双重花费和自私挖矿的风险[31]。
Multiple MEV Miner: Our MDP model does not allow us to draw conclusions on the dynamics under multiple independent MEV miners. We hence can only speculate about the outcome
多个 MEV 矿工：我们的 MDP 模型无法让我们对多个独立 MEV 矿工的动态得出结论。因此，我们只能推测

Fig. 14: Minimum MEV value in terms of block rewards to fork a PoW blockchain, given by optimal adversarial strategies of the MDP. For instance, on Ethereum (

r_{s} = 5.72 %

), a miner with

10 %

hash rate will engage to fork the chain to exploit an MEV opportunity, if the adversary follows the optimal strategy and the MEV opportunity yields more than 4 block rewards.
图 14：MDP 的最佳对抗策略给出的分叉 PoW 区块链的区块奖励最小 MEV 值。例如，在以太坊（

r_{s} = 5.72 %

）上，如果对手遵循最优策略，且 MEV 机会产生的区块奖励超过 4 个，则散列率为

10 %

的矿工将参与分叉区块链，以利用 MEV 机会。
and leave a simulation to future work. We can imagine that multiple miners either collaborate to share an MEV profit (which falls back to our MDP game of one adversary), or the miners would compete among each other, which is likely to exacerbate the fork rate and hence further deteriorates the blockchain consensus security.
并将模拟留待未来工作。我们可以想象，多个矿工要么合作分享 MEV 利润（这又回到了一个对手的 MDP 博弈），要么矿工之间相互竞争，这很可能会加剧分叉率，从而进一步恶化区块链共识的安全性。

While the research literature of blockchain span over 10 years, DeFi is a relatively recent area with fewer works.
区块链的研究文献已有十多年的历史，而 DeFi 是一个相对较新的领域，相关著作较少。
DeFi: There is a growing body of literature focusing on the security of the DeFi ecosystem. Blockchain front-running in exchanges, games, gambling, mixer, the network layer, and name services is soundly studied [1], [12], [20], [25], [32], [42], [47], [61]. Daian et al. [20] demonstrate a thorough analysis of profiting from opportunities provided by transaction ordering. Xu et al. [60] presents a detailed study of a specific market manipulation scheme, pump-and-dump, and build a prediction model that estimates the pump likelihood of each coin. Gudgeon et al. [37] explore the possibility of a DeFi crisis due to the design weakness of DeFi protocols and present a stress testing framework. Qin et al. [53] investigate DeFi attacks through flash loans and how to optimize their profit. We remark that the optimization solution presented in [53] only applies to previously fixed attack vectors, while this work considers the composability of DeFi protocols.
DeFi：越来越多的文献关注 DeFi 生态系统的安全性。对交易所、游戏、赌博、混合器、网络层和名称服务中的区块链前置运行进行了深入研究[1]、[12]、[20]、[25]、[32]、[42]、[47]、[61]。Daian 等人[20]对从交易排序提供的机会中获利进行了深入分析。Xu 等人[60]详细研究了一种特定的市场操纵计划--抽水抛售，并建立了一个预测模型来估计每种硬币的抽水可能性。Gudgeon 等人[37] 探讨了由于 DeFi 协议的设计缺陷而导致 DeFi 危机的可能性，并提出了一个压力测试框架。Qin 等人[53]研究了通过闪贷进行的 DeFi 攻击以及如何优化其收益。我们注意到，[53] 中提出的优化方案仅适用于先前固定的攻击向量，而本研究考虑了 DeFi 协议的可组合性。
Smart Contract Analysis: Besides the above-mentioned works on DeFi, many studies on the vulnerability discovery of smart contracts are related to our work [10], [13], [16], [19], [36], [38], [39], [41], [43], [45], [48], [56], [57]. Traditional smart contract vulnerabilities examined in related work include, for instance, re-entrancy attack, unhandled exceptions, locked ether, overflow [48]. To the best of our knowledge, no
智能合约分析：除了上述有关 DeFi 的工作外，还有许多关于智能合约漏洞发现的研究与我们的工作相关[10]、[13]、[16]、[19]、[36]、[38]、[39]、[41]、[43]、[45]、[48]、[56]、[57]。相关工作中研究的传统智能合约漏洞包括重入攻击、未处理异常、锁定以太、溢出等 [48]。据我们所知，目前还没有
analysis tool has yet considered the problem of a composability analysis as we’ve performed.
分析工具还没有像我们这样考虑过可组合性分析的问题。
Model Checking: Model-checking is another viable method to verify the security of smart contracts. Model-checking examines all possible states in a brute-force manner [7] and performs systematic exhaustive exploration for checking whether a finite transition machine model of a system meets appropriate specifications [13], [16], [36], [43], [45], [48], [56], [57]. One of the main limitations of model-checking is the exponential growth of the number of possible states, resulting in unsolvability for complex contracts.
模型检查：模型检查是验证智能合约安全性的另一种可行方法。模型检查以暴力方式检查所有可能的状态[7]，并执行系统的穷举探索，以检查系统的有限过渡机模型是否符合适当的规范[13], [16], [36], [43], [45], [48], [56], [57]。模型检查的一个主要局限是可能状态的数量呈指数增长，导致复杂合约的不可解性。

IX. CONCLUSIONS IX.结论

This paper presents two practical approaches that automatically extract revenue from the intertwined mesh of decentralized finance protocols. The first technique, DEFIPOSER-ARB, is well-suited for arbitrage, and the second, DEFIPOSERSMT, can also find acyclic opportunities. When evaluated over a span of 150 days with 96 DeFi actions and 25 cryptocurrency assets, DEFIPOSER-ARB and DEFIPOSERSMT are estimated to generate an average weekly revenue of 191.48 ETH (76,592 USD) and 72.44 ETH (28,976 USD), with the highest transaction being 81.31 ETH ( 32,524 USD) and 22.40 ETH (

8, 960 USD

), respectively.
本文介绍了两种实用方法，可自动从分散式金融协议交织的网状结构中提取收益。第一种技术 DEFIPOSER-ARB 非常适合套利，第二种技术 DEFIPOSERSMT 也能找到非循环机会。在对跨度为 150 天的 96 次 DeFi 行动和 25 种加密货币资产进行评估时，DEFIPOSER-ARB 和 DEFIPOSERSMT 预计将分别产生 191.48 以太坊（76,592 美元）和 72.44 以太坊（28,976 美元）的周平均收入，最高交易额分别为 81.31 以太坊（32,524 美元）和 22.40 以太坊（

8, 960 USD

）。

Our techniques apply to a real-time operation on blockchains with reasonably fast inter-block times (such as Ethereum), with an average search of 6.43 seconds and 5.39 seconds per block for DEFIPOSER-ARB and DEFIPOSERSMT, respectively, using a relatively unoptimized implementation. We find that the capital requirements to extract the found revenues are minimal: the majority of strategies produced require less than 150.00 ETH (60,000 USD), without, and less than 1.00 ETH ( 400 USD) with flash loans.
我们的技术适用于具有相当快的区块间时间（如以太坊）的区块链上的实时操作，使用相对未优化的实现，DEFIPOSER-ARB 和 DEFIPOSERSMT 每个区块的平均搜索时间分别为 6.43 秒和 5.39 秒。我们发现，提取所发现的收益所需的资金极少：大多数策略在没有闪存贷款的情况下，所需的资金少于 150.00 ETH（6 万美元），而在有闪存贷款的情况下，所需的资金少于 1.00 ETH（400 美元）。

We quantitatively demonstrate some troubling security implications of profitable transactions on the blockchain consensus. Given optimal adversarial strategies provided by a Markov Decision Process, we quantify the threshold value at which an MEV-aware rational miner will fork the blockchain if the miner does not succeed in claiming an unconfirmed MEV opportunity first. For example, on the current Ethereum network, a

10 %

hash rate miner will fork the chain if an MEV opportunity exceeds 4 block rewards. As a comparison, the bZx opportunity exceeded the Ethereum block reward by a factor of

874 \times

! Our work hence quantifies the inherent tension between revenue extraction from profitable transactions and blockchain security. We can generally expect trading opportunities highlighted in this paper to expand as the DeFi ecosystem grows and becomes more popular.
我们从数量上证明了盈利交易对区块链共识的一些令人担忧的安全影响。给定马尔可夫决策过程提供的最优对抗策略，我们量化了一个具有 MEV 意识的理性矿工在没有首先成功获得未确认的 MEV 机会时会分叉区块链的阈值。例如，在当前的以太坊网络中，如果 MEV 机会超过 4 个区块奖励，

10 %

哈希率矿工就会分叉区块链。相比之下，bZx 的机会比以太坊的区块奖励高出

874 \times

倍！因此，我们的工作量化了从盈利交易中提取收入与区块链安全性之间的内在矛盾。我们可以普遍预期，随着 DeFi 生态系统的发展和普及，本文中强调的交易机会将不断扩大。

ACKNOWLEDGMENTS 致谢

We very much thank the anonymous reviewers and Nicolas Christin for the thorough reviews and helpful suggestions that significantly strengthened this paper. We are moreover grateful to the Lucerne University of Applied Sciences and Arts for generously supporting Kaihua Qin’s Ph.D.
我们非常感谢匿名审稿人和尼古拉斯-克里斯汀（Nicolas Christin）的详尽审阅和有益建议，这大大加强了本文的内容。此外，我们还要感谢卢塞恩应用科学与艺术大学慷慨资助秦凯华攻读博士学位。

REFERENCES 参考文献

[1] Consensys/0x-review: Security review of 0x smart contracts. https: //github.com/ConsenSys/0x-review.
[1] Consensys/0x-review：https: //github.com/ConsenSys/0x-review.
[2] How many stablecoins are there? - cementdao - medium. https://medi um.com/cementdao/how-many-stablecoins-are-there-aa39d201ac12.
[2] 有多少稳定币？- cementdao - medium.https://medi um.com/cementdao/how-many-stablecoins-are-there-aa39d201ac12.
[3] Bzx network, 2020. [3] Bzx 网络，2020 年。
[4] Aave. Aave Protocol. https://github.com/aave/aave-protocol, 2020.
[4] Aave。Aave Protocol.https://github.com/aave/aave-protocol, 2020.
[5] Akropolis. Akropolis Hack Update.
[5]阿克罗波利斯Akropolis 黑客更新。
[6] Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A survey of attacks on ethereum smart contracts (sok). In International conference on principles of security and trust, pages 164-186. Springer, 2017.
[6] Nicola Atzei、Massimo Bartoletti 和 Tiziana Cimoli.以太坊智能合约（SOK）攻击调查。安全与信任原则国际会议，第 164-186 页。Springer, 2017.
[7] Christel Baier and Joost-Pieter Katoen. Principles of model checking. MIT press, 2008.
[7] Christel Baier and Joost-Pieter Katoen.模型检查原理》。麻省理工学院出版社，2008 年。
[8] Richard Bellman. On a routing problem. Quarterly of applied mathematics, 16(1):87-90, 1958.
[8] 理查德-贝尔曼．论路由问题。应用数学季刊，16（1）：87-90，1958.
[9] Bitinfocharts. Ethereum block time.
[9] Bitinfocharts。以太坊区块时间。
[10] Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2329-2344, 2017.
[10] Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury.定向灰盒模糊。In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2329-2344, 2017.
[11] Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A Kroll, and Edward W Felten. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 104-121. IEEE, 2015.
[11] Joseph Bonneau、Andrew Miller、Jeremy Clark、Arvind Narayanan、Joshua A Kroll 和 Edward W Felten。索克：比特币和加密货币的研究视角与挑战。In Security and Privacy (SP), 2015 IEEE Symposium on, pages 104-121.IEEE, 2015.
[12] Lorenz Breidenbach, Phil Daian, Florian Tramèr, and Ari Juels. Enter the hydra: Towards principled bug bounties and exploit-resistant smart contracts. In 27th {USENIX} Security Symposium ({USENIX} Security 18), pages 1335-1352, 2018.
[12] Lorenz Breidenbach, Phil Daian, Florian Tramèr, and Ari Juels.进入九头蛇：实现有原则的漏洞赏金和抗漏洞利用的智能合约。第 27 届{USENIX}安全研讨会（{USENIX} Security 18），第 1335-1352 页，2018 年。
[13] Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, Francois Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. Vandal: A scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981, 2018.
[13] Lexi Brent、Anton Jurisevic、Michael Kong、Eric Liu、Francois Gauthier、Vincent Gramoli、Ralph Holz 和 Bernhard Scholz.Vandal：A scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981, 2018.
[14] Roberto Bruttomesso, Alessandro Cimatti, Anders Franzén, Alberto Griggio, and Roberto Sebastiani. The mathsat 4 smt solver. In International Conference on Computer Aided Verification, pages 299303. Springer, 2008.
[14] Roberto Bruttomesso、Alessandro Cimatti、Anders Franzén、Alberto Griggio 和 Roberto Sebastiani.mathsat 4 Smt 求解器。计算机辅助验证国际会议，第 299303 页。Springer, 2008.
[15] Nitin Chandrachoodan, Shuvra S Bhattacharyya, and KJ Ray Liu. Adaptive negative cycle detection in dynamic graphs. In ISCAS 2001. The 2001 IEEE International Symposium on Circuits and Systems (Cat. No. 01CH37196), volume 5, pages 163-166. IEEE, 2001.
[15] Nitin Chandrachoodan、Shuvra S Bhattacharyya 和 KJ Ray Liu。动态图中的自适应负循环检测。In ISCAS 2001.2001 IEEE 电路与系统国际研讨会》（目录号：01CH37196），第 5 卷，第 163-166 页。IEEE, 2001.
[16] Jialiang Chang, Bo Gao, Hao Xiao, Jun Sun, Yan Cai, and Zijiang Yang. scompile: Critical path identification and analysis for smart contracts. In International Conference on Formal Engineering Methods, pages 286304. Springer, 2019.
[16] Jialiang Chang, Bo Gao, Hao Xiao, Jun Sun, Yan Cai, and Zijiang Yang. Scompile：智能合约的关键路径识别与分析。形式化工程方法国际会议，第 286304 页。Springer, 2019.
[17] James Chen. Bid and ask definition, Sep 2020.
[17] James Chen.买卖定义，2020 年 9 月。
[18] Boris V Cherkassky and Andrew V Goldberg. Negative-cycle detection algorithms. Mathematical Programming, 85(2), 1999.
[18] Boris V Cherkassky 和 Andrew V Goldberg.负循环检测算法。数学程序设计》，85（2），1999 年。
[19] Crytic. Echidna: Ethereum fuzz testing framework, February 2020.
[19] Crytic.Echidna：以太坊模糊测试框架，2020 年 2 月。
[20] Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov, Lorenz Breidenbach, and Ari Juels. Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges. arXiv preprint arXiv:1904.05234, 2019.
[20] Philip Daian、Steven Goldfeder、Tyler Kell、Yunqi Li、Xueyuan Zhao、Iddo Bentov、Lorenz Breidenbach 和 Ari Juels.闪电侠 2.0》：ArXiv preprint arXiv:1904.05234, 2019.
[21] Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 337-340. Springer, 2008.
[21] Leonardo De Moura 和 Nikolaj Bjørner.Z3: An efficient smt solver.系统构建与分析工具与算法国际会议，第 337-340 页。Springer, 2008.
[22] Christian Decker and Roger Wattenhofer. Information propagation in the bitcoin network. In Conference on Peer-to-Peer Computing, pages

1 - 10, 2013

.
[22] Christian Decker 和 Roger Wattenhofer.比特币网络中的信息传播。点对点计算会议，第

1 - 10, 2013

页。
[23] Value DeFi. MultiStables Vault Exploit Post-Mortem.
[23] Value DeFi.MultiStables Vault Exploit Post-Mortem.
[24] dYdX. dYdX. https://dydx.exchange/, 2020.
[24] dYdX.https://dydx.exchange/，2020.
[25] Shayan Eskandari, Seyedehmahsa Moosavi, and Jeremy Clark. Sok: Transparent dishonesty: front-running attacks on blockchain. 2019.
[25] Shayan Eskandari、Seyedehmahsa Moosavi 和 Jeremy Clark。Sok：透明的不诚实：对区块链的前置攻击。2019.
[26] Balancer Finance. Balancer Finance.
[26] Balancer Finance.Balancer Finance.
[27] Compound Finance. Compound finance, 2019.
[27] 复合金融。Compound finance, 2019.
[28] Harvest Finance. Harvest Flashloan Economic Attack Post-Mortem.
[28] 嘉实金融。嘉实闪贷经济攻击事件后记。
[29] Lester Randolph Ford Jr and Delbert Ray Fulkerson. Flows in networks. Princeton university press, 2015.
[29] Lester Randolph Ford Jr and Delbert Ray Fulkerson.网络中的流动》。普林斯顿大学出版社，2015 年。
[30] The Maker Foundation. Makerdao. https://makerdao.com/en/, 2019.
[30] 创客基金会。Makerdao.https://makerdao.com/en/, 2019.
[31] Arthur Gervais, Ghassan O Karame, Karl Wüst, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. On the security and performance of proof of work blockchains. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 3-16. ACM, 2016.
[31] Arthur Gervais, Ghassan O Karame, Karl Wüst, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun.论工作证明区块链的安全性和性能。In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 3-16.ACM, 2016.
[32] Arthur Gervais, Hubert Ritzdorf, Ghassan O Karame, and Srdjan Capkun. Tampering with the delivery of blocks and transactions in bitcoin. In Conference on Computer and Communications Security, pages 692705. ACM, 2015.
[32] Arthur Gervais, Hubert Ritzdorf, Ghassan O Karame, and Srdjan Capkun.篡改比特币的区块交付和交易。计算机与通信安全会议，第 692705 页。ACM, 2015.
[33] Andrew Goldberg and Tomasz Radzik. A heuristic improvement of the bellman-ford algorithm. Technical report, STANFORD UNIV CA DEPT OF COMPUTER SCIENCE, 1993.
[33] Andrew Goldberg 和 Tomasz Radzik.贝尔曼-福特算法的启发式改进。技术报告，斯坦福大学计算机科学系，1993 年。
[34] Andrew V Goldberg. Scaling algorithms for the shortest paths problem. SIAM Journal on Computing, 24(3):494-504, 1995.
[34] Andrew V Goldberg.最短路径问题的扩展算法.SIAM Journal on Computing，24（3）：494-504，1995.
[35] Donald Goldfarb, Jianxiu Hao, and Sheng-Roan Kai. Shortest path algorithms using dynamic breadth-first search. Networks, 21(1):29-50, 1991.
[35] Donald Goldfarb, Jianxiu Hao, and Sheng-Roan Kai.使用动态广度优先搜索的最短路径算法。网络，21（1）：29-50，1991.
[36] Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. Madmax: Surviving out-of-gas conditions in ethereum smart contracts. Proceedings of the ACM on Programming Languages, 2(OOPSLA):1-27, 2018.
[36] Neville Grech、Michael Kong、Anton Jurisevic、Lexi Brent、Bernhard Scholz 和 Yannis Smaragdakis。Madmax：以太坊智能合约中的断气条件生存。ACM 编程语言论文集，2(OOPSLA)：1-27，2018.
[37] Lewis Gudgeon, Daniel Perez, Dominik Harz, Arthur Gervais, and Benjamin Livshits. The decentralized financial crisis: Attacking defi, 2020.
[37] Lewis Gudgeon、Daniel Perez、Dominik Harz、Arthur Gervais 和 Benjamin Livshits。去中心化的金融危机：攻击赤字，2020 年。
[38] Campbell R Harvey. Cryptofinance. 2016.
[38] Campbell R Harvey.Cryptofinance.2016.
[39] Jingxuan He, Mislav Balunović, Nodar Ambroladze, Petar Tsankov, and Martin Vechev. Learning to fuzz from symbolic execution with application to smart contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS '19, pages 531-548, New York, NY, USA, 2019. ACM.
[39] Jingxuan He, Mislav Balunović, Nodar Ambroladze, Petar Tsankov, and Martin Vechev.从符号执行中学习模糊，并应用于智能合约。In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS '19, pages 531-548, New York, NY, USA, 2019.ACM.
[40] Eyal Hertzog, Guy Benartzi, and Galia Benartzi. Bancor protocol. 2017.
[40] Eyal Hertzog, Guy Benartzi, and Galia Benartzi.Bancor 协议。2017.
[41] Bo Jiang, Ye Liu, and WK Chan. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pages 259-269. ACM, 2018.
[41] Bo Jiang, Ye Liu, and WK Chan.Contractfuzzer：模糊智能合约以检测漏洞。第 33 届 ACM/IEEE 自动化软件工程国际会议论文集》，第 259-269 页。ACM, 2018.
[42] Harry A Kalodner, Miles Carlsten, Paul Ellenbogen, Joseph Bonneau, and Arvind Narayanan. An empirical study of namecoin and lessons for decentralized namespace design. In WEIS. Citeseer, 2015.
[42] Harry A Kalodner、Miles Carlsten、Paul Ellenbogen、Joseph Bonneau 和 Arvind Narayanan.对 namecoin 的实证研究及去中心化命名空间设计的启示。In WEIS.Citeseer, 2015.
[43] Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. Zeus: Analyzing safety of smart contracts. In NDSS, 2018.
[43] Sukrit Kalra、Seep Goel、Mohan Dhawan 和 Subodh Sharma。Zeus：分析智能合约的安全性。In NDSS, 2018.
[44] Jeff L Kennington and Richard V Helgason. Algorithms for network programming. John Wiley & Sons, Inc., 1980.
[44] Jeff L Kennington 和 Richard V Helgason.网络编程算法》。John Wiley & Sons, Inc., 1980.
[45] Johannes Krupp and Christian Rossow. teether: Gnawing at ethereum to automatically exploit smart contracts. In 27th {USENIX} Security Symposium (

{

USENIX } Security 18), pages 1317-1333, 2018.
[45] Johannes Krupp 和 Christian Rossow：啃咬以太坊，自动利用智能合约。In 27th {USENIX} Security Symposium (

{

USENIX } Security 18), pages 1317-1333, 2018.
[46] Kyber. Kyber. https://kyber.network/, 2020.
[46] Kyber.Kyber。https://kyber.network/，2020.
[47] Duc V Le and Arthur Gervais. Amr: Autonomous coin mixer with privacy preserving reward distribution. arXiv preprint arXiv:2010.01056, 2020.
[47] Duc V Le 和 Arthur Gervais.ArXiv preprint arXiv:2010.01056, 2020.
[48] Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages

254 - 269, 2016

.
[48] Loi Luu、Duc-Hiep Chu、Hrishi Olickel、Prateek Saxena 和 Aquinas Hobor.让智能合约更智能。In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages

254 - 269, 2016

.
[49] Makiko Mita, Kensuke Ito, Shohei Ohsawa, and Hideyuki Tanaka. What is stablecoin?: A survey on price stabilization mechanisms for decentralized payment systems. arXiv preprint arXiv:1906.06037, 2019.
[49] Makiko Mita, Kensuke Ito, Shohei Ohsawa, and Hideyuki Tanaka.什么是稳定币？A survey on price stabilization mechanisms for decentralized payment systems. ArXiv preprint arXiv:1906.06037, 2019.
[50] Amani Moin, Kevin Sekniqi, and Emin Gun Sirer. Sok: A classification framework for stablecoin designs. In Financial Cryptography, 2020.
[50] Amani Moin、Kevin Sekniqi 和 Emin Gun Sirer。Sok：稳定币设计分类框架。金融密码学》，2020 年。
[51] Edward F Moore. The shortest path through a maze. In Proc. Int. Symp. Switching Theory, 1959, pages 285-292, 1959.
[51] Edward F Moore.穿越迷宫的最短路径。In Proc.Symp.开关理论》，1959 年，第 285-292 页，1959 年。
[52] DeFi Pulse. The DeFi Leaderboard. https://defipulse.com/, 2019.
[52] DeFi 脉搏。DeFi 排行榜。https://defipulse.com/, 2019.
[53] Kaihua Qin, Liyi Zhou, Benjamin Livshits, and Arthur Gervais. Attacking the defi ecosystem with flash loans for fun and profit. Financial Cryptography and Data Security (FC), 2021.
[53] Kaihua Qin, Liyi Zhou, Benjamin Livshits, and Arthur Gervais.用闪贷攻击defi生态系统的乐趣和利润。金融密码学与数据安全（FC），2021 年。
[54] Matheus Souza, Mateus Borges, Marcelo d’Amorim, and Corina S Păsăreanu. Coral: solving complex constraints for symbolic pathfinder. In NASA Formal Methods Symposium, pages 359-374. Springer, 2011.
[54] Matheus Souza、Mateus Borges、Marcelo d'Amorim 和 Corina S Păsăreanu.珊瑚：解决符号探路者的复杂约束。In NASA Formal Methods Symposium, pages 359-374.Springer, 2011.
[55] theblockcrypto. DeFi protocol Origin gets attacked, loses 7 million USD.
[55] theblockcrypto.DeFi 协议 Origin 遭到攻击，损失 700 万美元。
[56] Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pages 9-16, 2018.
[56] Sergei Tikhomirov、Ekaterina Voskresenskaya、Ivan Ivanitskiy、Ramil Takhaviev、Evgeny Marchenko 和 Yaroslav Alexandrov。Smartcheck：以太坊智能合约的静态分析。第一届区块链软件工程新趋势国际研讨会论文集》，第 9-16 页，2018 年。
[57] Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 67-82. ACM, 2018.
[57] Petar Tsankov、Andrei Dan、Dana Drachsler-Cohen、Arthur Gervais、Florian Buenzli 和 Martin Vechev.Securify：智能合约的实用安全分析。In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 67-82.ACM, 2018.
[58] Uniswap.io, 2018. accessed 12 November, 2019, https://docs.uniswap.i o/.
[58] Uniswap.io，2018. 2019年11月12日访问，https://docs.uniswap.i o/。

Token 代币

独特的持有人

Unique

holders

转账交易

Transfer

transactions

市场交易

Markets

trading

SAI

181,223

3, 139, 071

BNT

23,966

2, 620, 652

144

DAI

68,357

2, 155, 535

130

BAT

288,970

1, 970, 176

218

ENJ

52,341

902,471

SNT

82,663

868,007

101

KNC

65,018

820,501

MKR

20,891

733,845

DATA

444,833

588,097

MANA

38,276

565,151

ANT

22,321

217,657

RLC

12,880

209,255

RCN

19,831

203,893

UBT

10,410

191,153

GNO

10,695

170,507

RDN

13,842

143,308

TKN

5,485

84,912

TRST

7,738

71,223

AMN

2,593

53,010

FXC

2,024

47,906

SAN

2,247

36,054

AMPL

1,931

31,124

HEDG

1,709

30,770

POA20

560

26,390

TABLE III: Summary of the 24 ERC-20 cryptocurrency assets used in our experiments, ordered by the total number of transfer transactions.
表三：实验中使用的 24 种 ERC-20 加密货币资产汇总，按转账交易总数排序。
[59] Karl Wüst and Arthur Gervais. Do you need a Blockchain? In 2018 Crypto Valley Conference on Blockchain Technology (CVCBT), pages 45-54. IEEE, 2018.
[59] Karl Wüst 和 Arthur Gervais.你需要区块链吗？在2018年加密谷区块链技术大会（CVCBT）上，第45-54页。IEEE, 2018.
[60] Jiahua Xu and Benjamin Livshits. The anatomy of a cryptocurrency pump-and-dump scheme. In Proceedings of the Usenix Security Symposium, August 2019.
[60] Jiahua Xu 和 Benjamin Livshits.加密货币抽水式抛售计划剖析。Usenix安全研讨会论文集，2019年8月。
[61] Liyi Zhou, Kaihua Qin, Christof Ferreira Torres, Duc V Le, and Arthur Gervais. High-frequency trading on decentralized on-chain exchanges. IEEE Symposium on Security and Privacy, 2021.
[61] Liyi Zhou, Kaihua Qin, Christof Ferreira Torres, Duc V Le, and Arthur Gervais.去中心化链上交易所的高频交易。IEEE 安全与隐私研讨会，2021 年。

APPENDIX A 附录 A

SUMMARY OF THE ERC-20 CRYPTOCURRENCY ASSETS
erc-20 加密货币资产概要

We summarize the 24 ERC-20 cryptocurrency assets in Table III. We observe that for most of the assets, the number of holders and the number of markets increases with the number of transfer transactions.
我们在表 III 中总结了 24 种 ERC-20 加密货币资产。我们发现，对于大多数资产来说，持有者数量和市场数量都会随着转账交易数量的增加而增加。

APPENDIX B
SUPPORTED DEFi ACTIONS
附录 B 支持的行动

We summarize the 96 DeFi actions DEFIPOSER supports in Table IV. All considered cryptocurrency assets trade on both the Uniswap and Bancor exchanges. SAI and DAI, in addition, can be converted to each on MakerDAO.
我们在表 IV 中总结了 DEFIPOSER 支持的 96 种 DeFi 行动。所有考虑的加密货币资产都可以在 Uniswap 和 Bancor 交易所交易。此外，SAI 和 DAI 还可以在 MakerDAO 上进行兑换。

ApPendiX C
SMT ENCODING EXAMPLE
ApPendiX C smt 编码示例

To ease the understanding of the encoding process between the State Transition Model and the SMT problem, we consider in the following a simple strategy with only two actions, and a trader holding two cryptocurrency assets: a base cryptocurrency asset

c_{1}

, and another cryptocurrency asset

c_{2}

.
为了便于理解状态转换模型和 SMT 问题之间的编码过程，我们在下文中考虑一个只有两个操作的简单策略，以及一个持有两种加密货币资产的交易者：基础加密货币资产

c_{1}

和另一种加密货币资产

c_{2}

。

Uniswap 统一交换		ETH	RDN	BNT	GNO
From: 来自	To: 致	RDN	ETH	GNO	BNT
ETH	AMN	ETH	RLC	BNT	HEDG
AMN	ETH	RLC	ETH	HEDG	BNT
ETH	AMPL	ETH	SAI	BNT	KNC
AMPL	ETH	SAI	ETH	KNC	BNT
ETH	ANT	ETH	SAN	BNT	MANA
ANT	ETH	SAN	ETH	MANA	BNT
ETH	BAT	ETH	SNT	BNT	MKR
BAT	ETH	SNT	ETH	MKR	BNT
ETH	BNT	ETH	TKN	BNT	POA20
BNT	ETH	TKN	ETH	POA20	BNT
ETH	DAI	ETH	TRST	BNT	RCN
DAI	ETH	TRST	ETH	RCN	BNT
ETH	DATA	ETH	UBT	BNT	RDN
DATA	ETH	UBT	ETH	RDN	BNT
ETH	ENJ	Bancor		BNT	RLC
ENJ	ETH	From: 来自	To: 致	RLC	BNT
ETH	FXC	BNT	AMN	BNT	SAI
FXC	ETH	AMN	BNT	SAI	BNT
ETH	GNO	BNT	AMPL	BNT	SAN
GNO	ETH	AMPL	BNT	SAN	BNT
ETH	HEDG	BNT	ANT	BNT	SNT
HEDG	ETH	ANT	BNT	SNT	BNT
ETH	KNC	BNT	BAT	BNT	TKN
KNC	ETH	BAT	BNT	TKN	BNT
ETH	MANA	BNT	DATA	BNT	TRST
MANA	ETH	DATA	BNT	TRST	BNT
ETH	MKR	BNT	ENJ	BNT	UBT
MKR	ETH	ENJ	BNT	UBT	BNT
ETH	POA20	BNT	ETH	Mak 麦	DAO
POA20	ETH	ETH	BNT	From: 来自	To: 致
ETH	RCN	BNT	FXC	DAI	SAI
RCN	ETH	FXC	BNT	SAI	DAI

TABLE IV: List of the supported DeFi actions of DEFIPOSER.
表 IV：DEFIPOSER 支持的 DeFi 操作列表。

Action

a_{1}

: Converts

x_{1}

amount of

c_{1}

c_{2}

, using a constant product market (cf. Section II-A), with liquidity

L 1^{c_{1}}

for

c_{1}

and

L 1^{c_{2}}

for

c_{2}

(cf. Equation 14).
操作

a_{1}

：使用恒定产品市场（参见第 II-A 节），将

x_{1}

的

c_{1}

量转换为

c_{2}

，流动性

L 1^{c_{1}}

表示

c_{1}

，

L 1^{c_{2}}

表示

c_{2}

（参见公式 14）。

output amount of c_{2} = L 1^{c_{2}} - \frac{L 1^{c_{1}} L 1^{c_{2}}}{(L 1^{c_{1}} + x_{1})}

Action

a_{2}

: Converts

x_{2}

amount of

c_{2}

back to

c_{1}

, using another constant product market, with liquidity

L 2^{c_{1}}

and

L 2^{c_{2}}

. Based on Heuristic 5 (cf. Section V-B), action

a_{2}

must use another market, because otherwise the conversion becomes a reversing action of

a_{1}

, which would result in a zero-sum game with a loss on transaction fees.
操作

a_{2}

：使用另一个流动性为

L 2^{c_{1}}

和

L 2^{c_{2}}

的恒等产品市场，将

c_{2}

中的

x_{2}

量转换回

c_{1}

。根据启发式 5（参见第 V-B 节），行动

a_{2}

必须使用另一个市场，否则转换就会变成

a_{1}

的反向行动，从而导致零和博弈，损失交易费用。
Initial state encoding: Equation 15 encodes the state variables with concrete values, which are fetched from the considered blockchain state (e.g., the most recent block). This predicate can also be viewed as the assignment of an initial state.
初始状态编码：等式 15 用具体值对状态变量进行编码，这些具体值取自所考虑的区块链状态（如最近的区块）。这个谓词也可以看作是初始状态的赋值。

\begin{aligned} predicate & t_{1} (\cdot) := \\ B_{0}^{T} (c_{1}) = Trader's initial c_{1} balance \land \\ B_{0}^{T} (c_{2}) = Trader's initial c_{2} balance \land \\ L 1_{0}^{c_{1}} = Market 1 initial c_{1} balance \land \\ L 1_{0}^{c_{2}} = Market 1 initial c_{2} balance \land \\ L 2_{0}^{c_{1}} = Market 2 initial c_{1} balance \land \\ L 2_{0}^{c_{2}} = Market 2 initial c_{2} balance \end{aligned}

Action encoding: The following two predicates encode the
动作编码以下两个谓词对
two state transition actions. Equation 16 encodes

F (s_{0}, a_{1}, x_{1})

and Equation 17 encodes

F (F (s_{0}, a_{1}, x_{1}), a_{2}, x_{2})

. Simply speaking, predicate

t_{2}

transacts cryptocurrency asset

c_{1}

c_{2}

, and predicate

t_{3}

converts

c_{2}

back to

c_{1}

.
两个状态转换动作。等式 16 对

F (s_{0}, a_{1}, x_{1})

进行了编码，等式 17 对

F (F (s_{0}, a_{1}, x_{1}), a_{2}, x_{2})

进行了编码。简单地说，谓词

t_{2}

将加密货币资产

c_{1}

交易到

c_{2}

，谓词

t_{3}

将

c_{2}

转换回

c_{1}

。

\begin{aligned} predicate t_{2} (\cdot) := \\ 0 \leq x_{1} \leq B_{0}^{T} (c_{1}) \land \\ B_{1}^{T} (c_{1}) = B_{0}^{T} (c_{1}) - x_{1} \land \\ B_{1}^{T} (c_{2}) = B_{0}^{T} (c_{2}) + L 1_{0}^{c_{2}} - \frac{L 1_{0}^{c_{1}} L 1_{0}^{c_{2}}}{(L 1_{0}^{c_{1}} + x_{1})} \land \\ L 1_{1}^{c_{1}} = L 1_{0}^{c_{1}} + x_{1} \land \\ L 1_{1}^{c_{2}} = \frac{L 1_{0}^{c_{1}} L 1_{0}^{c_{2}}}{(L 1_{0}^{c_{1}} + x_{1})} \land \\ L 2_{1}^{c_{1}} = L 2_{0}^{c_{1}} \land \\ L 2_{1}^{c_{2}} = L 2_{0}^{c_{2}} \\ predicate t_{3} (\cdot) := \\ 0 \leq x_{2} \leq B_{1}^{T} (c_{2}) \land \\ B_{2}^{T} (c_{1}) = B_{1}^{T} (c_{1}) + L 2_{1}^{c_{1}} - \frac{L 2_{1}^{c_{1}} L 2_{1}^{c_{2}}}{(L 2_{1}^{c_{2}} + x_{2})} \land \\ B_{2}^{T} (c_{2}) = B_{1}^{T} (c_{2}) - x_{2} \land \\ L 1_{2}^{c_{1}} = L 1_{1}^{c_{1}} \land \\ L 1_{2}^{c_{2}} = L 1_{1}^{c_{2}} \land \\ L 2_{2}^{c_{1}} = \frac{L 2_{1}^{c_{1}} L 2_{1}^{c_{2}}}{(L 2_{1}^{c_{2}} + x_{2})} \land \\ L 2_{2}^{c_{2}} = L 2_{1}^{c_{2}} + x_{2} \end{aligned}

Objective encoding: 客观编码：

We use

Z

to denote the targeted adversarial revenue. Equation 18 encodes the objective constraints, ensuring that the adversarial cryptocurrency asset portfolio increases in value. Note that we rely on search algorithms (cf. Algorithm 2) to find the highest possible

Z

. The optimization process requires solving the same SMT problem with different concrete initialization of revenue targets

Z

(predicate

t_{4}

).
我们使用

Z

表示目标对抗收益。等式 18 对目标约束进行了编码，以确保对抗加密货币资产组合的价值增加。请注意，我们依靠搜索算法（参见算法 2）来找到可能的最高值

Z

。优化过程需要解决相同的 SMT 问题，但收入目标

Z

的具体初始化不同（谓词

t_{4}

）。

\begin{aligned} predicate t_{4} (\cdot) := \\ B_{0}^{T} (c_{1}) >= B_{2}^{T} (c_{1}) + Z \land \\ B_{0}^{T} (c_{2}) = B_{2}^{T} (c_{2}) \end{aligned}

Free variables and range: Our model only consists of two free variables

(x_{1}, x_{2})

for the simple two action paths. For a path of arbitrary length

n

, the corresponding SMT system consists of

n

free variables, which are the parameters of each action. As shown in predicate

t_{2}

(cf. Equation 16) and

t_{3}

(cf. Equation 17), the range of free variables are constraint by the amount of

T

's cryptocurrency assets.
自由变量和范围对于简单的两个动作路径，我们的模型只包含两个自由变量

(x_{1}, x_{2})

。对于任意长度的路径

n

，相应的 SMT 系统由

n

自由变量组成，它们是每个动作的参数。如谓词

t_{2}

（参见公式 16）和

t_{3}

（参见公式 17）所示，自由变量的范围受

T

的加密货币资产数额的限制。
SMT problem: By following the above procedures, the state transition model we presented in Section III is now encoded as an SMT problem, where we verify if any initialization of the free variables

(x_{1}, x_{2})

satisfies the requirement of

t_{1} (\cdot) \land

t_{2} (\cdot) \land t_{3} (\cdot) \land t_{4} (\cdot)

.
SMT 问题：按照上述步骤，我们在第 III 节中提出的状态转换模型现在被编码为一个 SMT 问题，在这个问题中，我们要验证自由变量

(x_{1}, x_{2})

的任何初始化是否满足

t_{1} (\cdot) \land

t_{2} (\cdot) \land t_{3} (\cdot) \land t_{4} (\cdot)

的要求。

SMT 必须解决的路径数量

Number of

paths SMT

must solve

区块数

Number of

blocks

区块百分比

Percentage of

blocks

0 - 23

0 %

204,901

21.57 %

609

0.06 %

12,201

1.28 %

57,265

6.03 %

50 - 100

35,771

3.77 %

> 100

3,897

0.41 %

total 总计

314,644

33.12 %

TABLE V: After we apply the dependency-based blockchain state reduction we show in this Table the number of paths the SMT solver must solve.

32.71 %

of the blockchain blocks between

9, 100, 000

and 10, 050, 000 have less than 100 “state changing” paths, allowing to reduce the SMT computation.
表五：应用基于依赖关系的区块链状态缩减后，我们在表中显示了 SMT 解算器必须解决的路径数量。在

9, 100, 000

到 10, 050, 000 之间的区块链区块中，

32.71 %

的 "状态变化 "路径少于 100 条，因此可以减少 SMT 的计算量。

Contract 合同	Count 计数	State change frequency 状态变化频率
Uniswap DAI 统一交换 DAI	28,464	$27.01 %$
Bancor ETH	16,466	$15.63 %$
Uniswap UBT 统一交换 UBT	13,623	$12.93 %$
Uniswap MKR	5,984	$5.68 %$
Uniswap SAI	5,195	$4.93 %$
Uniswap BAT 统一交换 BAT	5,090	$4.83 %$
Uniswap KNC 统一交换 KNC	4,141	$3.93 %$
Uniswap DATA 统一交换数据	3,546	$3.36 %$
Bancor DATA	2,309	$2.19 %$
Uniswap SNT	2,300	$2.18 %$
Uniswap ANT 统一交换 ANT	1,759	$1.67 %$
Bancor UBT	1,714	$1.63 %$
Bancor ENJ	1,602	$1.52 %$
Uniswap ENJ	1,337	$1.27 %$
Uniswap MANA	1,129	$1.07 %$
Uniswap RLC	1,073	$1.02 %$
Other 其他	9,650	$9.16 %$

TABLE VI: State pruning statistics, showing that the Uniswap DAI contract experiences the highest state change frequency (

27.01 %

of blocks).
表六：状态修剪统计，显示 Uniswap DAI 合约的状态变化频率最高（

27.01 %

个块）。

APPENDIX D
Z3 PATH PRUNING
附录 D z3 路径修剪

Table VI illustrates the state change frequency of the top 15 most frequently changed DeFi markets we consider in this work. The Uniswap DAI market is significantly more active than the other markets, with a state change frequency of

27.01 %

of the blocks, while the majority (

78.72 %

) of markets experience a frequency below

2 %

of the blockchain blocks. Note that every market is only involved in a subset of the 600 kept strategies after pruning. For example, only 48 out of the 600 strategies involve the Uniswap DAI market.
表六显示了我们在这项工作中考虑的前 15 个变化最频繁的 DeFi 市场的状态变化频率。Uniswap DAI 市场明显比其他市场活跃，其状态变化频率为

27.01 %

个区块，而大多数市场（

78.72 %

）的状态变化频率低于

2 %

个区块。请注意，每个市场都只参与了剪枝后保留的 600 个策略中的一个子集。例如，600 个策略中只有 48 个涉及 Uniswap DAI 市场。

Appendix E CONCRETE ENCODING EXAMPLE FOR Z3
附录 E Z3 混凝土配筋示例

In this section, we provide a running example to demonstrate the encoding process of DEFIPOSER-SMT. The example performs an arbitrage at block

9, 680, 000

, which first converts ETH to BNT on Bancor and then converts BNT back to ETH on Uniswap.
在本节中，我们将提供一个运行示例来演示 DEFIPOSER-SMT 的编码过程。该示例在

9, 680, 000

区块执行套利，首先在 Bancor 上将 ETH 转换为 BNT，然后在 Uniswap 上将 BNT 转换回 ETH。

A. Initial state encoding
A.初始状态编码

The initial state encoding consists of the predicates for both the trader

T

's initial balances, as well as the initial states of the underlying platforms.
初始状态编码由交易者

T

的初始余额和底层平台初始状态的谓词组成。

# Trader's initial state.
# We assume the trader holds 1000 ETH at the start.
SO_Attacker [BNT] == 0,
SO_Attacker[ETH] == 1000000000000000000000,
# Initial states of the underlying platforms.
SO_Uniswap[BNT]_eth == 135368255883939133529,
SO_Uniswap[BNT]_erc20 == 108143877658121296155075,
SO_Bancor[ETH]_erc20 == 10936591981278719837125,
SO_Bancor[ETH]_erc20_ratio == 500000,
SO_Bancor[ETH]_bnt == 8792249012668956788248921,
SO_Bancor[ETH]_bnt_ratio == 500000,
SO_Bancor[ETH]_fee == 1000,

B. Action encoding B.动作编码

We encode the two transition actions as predicates.

P 1

is the input parameter for action 1 (converts ETH to BNT on Bancor), and

P 2

is the input parameter for action 2 (converts BNT to ETH on Uniswap).
我们将两个过渡操作编码为谓词。

P 1

是动作 1（在 Bancor 上将 ETH 转换为 BNT）的输入参数，

P 2

是动作 2（在 Uniswap 上将 BNT 转换为 ETH）的输入参数。

# converts ETH to BNT on Bancor
P1 > 0,
S1_Bancor[ETH]_bnt > 0,
S1_Attacker[BNT] ==
    SO_Attacker[BNT] +
    (SO_Bancor[ETH]_bnt**
    (1 -
    (SO_Bancor[ETH]_erc20/(S0_Bancor[ETH]_erc20 + P1))**
    (SO_Bancor[ETH]_erc20_ratio/S0_Bancor[ETH]_bnt_ratio))*
    (1000000 - SO_Bancor[ETH]_fee)**2)/
    1000000000000,
S1_Attacker[ETH] == S0_Attacker[ETH] - P1,
S1_Uniswap[BNT]_eth == S0_Uniswap[BNT]_eth,
S1_Uniswap[BNT]_erc20 == S0_Uniswap[BNT]_erc20,
S1_Bancor[ETH]_bnt ==
    SO_Bancor[ETH]_bnt -
    (SO_Bancor[ETH]_bnt**
    (1 -
    (SO_Bancor[ETH]_erc20/(SO_Bancor[ETH]_erc20 + P1))**
    (SO_Bancor[ETH]_erc20_ratio/S0_Bancor[ETH]_bnt_ratio))*
    (1000000 - SO_Bancor[ETH]_fee)**2)/
    1000000000000,
S1_Bancor[ETH]_bnt_ratio == S0_Bancor[ETH]_bnt_ratio,
S1_Bancor[ETH]_erc20_ratio == S0_Bancor[ETH]_erc20_ratio,
S1_Bancor[ETH]_erc20 == S0_Bancor[ETH]_erc20 + P1,
S1_Bancor[ETH]_fee == S0_Bancor[ETH]_fee,
# converts BNT to ETH on Uniswap
S1_Attacker[BNT] >= P2,
P2 > 0,
S2_Attacker[BNT] == S1_Attacker[BNT] - P2,
S2_Attacker[ETH] ==
    S1_Attacker[ETH] +
    (997*P2*S1_Uniswap [BNT]_eth) /
    (S1_Uniswap[BNT]_erc20*1000 + 997*P2),
S2_Uniswap[BNT]_eth ==
    S1_Uniswap[BNT]_eth -
    (997*P2*S1_Uniswap[BNT]_eth)/
    (S1_Uniswap[BNT]_erc20*1000 + 997*P2),
S2_Uniswap[BNT]_erc20 == S1_Uniswap[BNT]_erc20 + P2,
S2_Bancor[ETH]_bnt == S1_Bancor[ETH]_bnt,
S2_Bancor[ETH]_bnt_ratio == S1_Bancor[ETH]_bnt_ratio,
S2_Bancor[ETH]_erc20_ratio == S1_Bancor[ETH]_erc20_ratio,
S2_Bancor[ETH]_erc20 == S1_Bancor[ETH]_erc20,
S2_Bancor[ETH]_fee == S1_Bancor[ETH]_fee,

C. Objective encoding C.客观编码

In this example, we check if it is possible for the trader

T

to realize 1 ETH of revenue following this path.
在这个示例中，我们将检查交易者

T

是否有可能通过这条路径实现 1 ETH 的收益。
# Objective encoding # 目标编码
S2_Attacker

[B N T] == 0

, S2_Attacker

[B N T] == 0

、
S2_Attacker [ETH] >= 1001000000000000000000

APPENDIX F
OPTIMIZER FOR THE SMT SOLVER
附录 F Smt 求解器的优化器

Algorithm 3 shows how the SMT solver can maximize a path’s revenue using binary search.
算法 3 展示了 SMT 求解器如何利用二进制搜索使路径收益最大化。

Algorithm 3: Maximize a path's revenue using SMT
solver and binary search.
    Input:
    \(p \leftarrow\) Path
    \(m \leftarrow\) Minimum revenue target
    Output: Optimized revenue \(r\)
    if \(\neg i s \operatorname{SAT}(p, m)\) then
        return 0
    else
        \(1 \leftarrow m\)
        \(\mathrm{u} \leftarrow m \times 10\)
    end
    while \(\operatorname{isSAT}(p, u)\) do
        \(1 \leftarrow \mathrm{u}\)
        \(\mathrm{u} \leftarrow \mathrm{u} \times 10\)
    end
    return \(\operatorname{binary\operatorname {Search}(p,l,u)}\)
    Function \(\operatorname{iSSAT}(p, r)\) : bool is
        return (Is the path \(p\) SAT for the revenue \(r\) )
    end
    Function binarySearch \((p, l, u):\) float is
        Binary search SAT solution on path \(p\), using the lower
        bound \(l\) and upper bound \(u\) on revenue
        return (Maximum SAT revenue)
    end

APPENDIX G
State Dependency
附录 G 国家依赖性

We visualize the state changes in Figure 15. This figure provides an intuition to a trader on how active a particular market is. An asset changes state if a market listing that asset changes state (i.e., a trader trades the asset). ETH experiences the most state changes with over 950,000 blocks (

36.76 %

). After ETH, we observe that DAI (

14.62 %

) experiences the most frequent state changes over the 950,000 blocks we crawled. POA20 has the lowest number of state changes

(0.08 %)

. For a trader who is not able to position its transactions first in a block, the market activity is relevant because a strategy executed on the POA20 asset has a higher likelihood to succeed than on an active DAI market.
我们可以在图 15 中直观地看到状态的变化。通过该图，交易者可以直观地了解特定市场的活跃程度。如果列出该资产的市场发生状态变化（即交易者交易该资产），该资产就会发生状态变化。ETH 的状态变化最多，超过 950,000 个区块（

36.76 %

）。在 ETH 之后，我们发现 DAI (

14.62 %

) 在我们抓取的 950,000 个区块中状态变化最频繁。POA20 的

(0.08 %)

状态变化次数最少。对于无法在区块中首先定位其交易的交易者来说，市场活动是相关的，因为在 POA20 资产上执行的策略比在活跃的 DAI 市场上执行的策略更有可能成功。

APPENDIX H
BZX
附录 H BZX

Figure 16 shows our attack window analysis of the bZx attack using DEFIPOSER-SMT.
图 16 显示了我们使用 DEFIPOSER-SMT 对 bZx 攻击进行的攻击窗口分析。

Fig. 15: Timeline analysis of the state changes, over 150 days ( 950,000 blocks), where every state change is represented with a colored tick.
图 15：150 天内（950,000 个区块）的状态变化时间轴分析，其中每个状态变化都用彩色刻度线表示。

Fig. 16: Attack window analysis of the bZx attack. DEFIPOSER-SMT finds the first attack opportunity at block

9, 069, 000

(December 8th 2019). The opportunity lasted for 69 days, until the opportunity was exploited in block 9, 484, 687 (February 15th 2020). We visualize the difference between the profits from Z3 and concrete validation, along with the success rate (using block bin sizes of 100) of a Z3 strategy passing concrete validation. Note that the bZx loan interest rate formula is conservatively simplified in the encoding process, which explains why the Z3 anticipated revenue is lower than the concrete execution yield.
图 16：bZx 攻击的攻击窗口分析。DEFIPOSER-SMT 在

9, 069, 000

块（2019 年 12 月 8 日）发现了第一次攻击机会。该机会持续了 69 天，直到第 9、484、687 号区块（2020 年 2 月 15 日）被利用。我们可以直观地看到 Z3 和具体验证的利润差异，以及通过具体验证的 Z3 策略的成功率（使用 100 个区块的 bin 大小）。请注意，bZx 贷款利率公式在编码过程中进行了保守简化，这也是 Z3 预期收益低于具体执行收益的原因。

$^{1}$ https://github.com/ethereum/go-ethereum
$^{2}$ https://github.com/ethereum/py-evm
$^{3}$ transaction id: 0xb5c8bd9430b6cc87a0e2fe110ece6bf527fa4f170a4bc8cd0 32 f 768 fc 5219838
$^{3}$ 交易 ID： 0xb5c8bd9430b6cc87a0e2fe110ece6bf527fa4f170a4bc8cd0 32 f 768 fc 5219838
$^{4}$ At the time of writing, the average Ethereum block reward is 2.62 ETH (https://bitinfocharts.com/ethereum/)
$^{4}$ 在撰写本文时，以太坊区块的平均奖励为 2.62 ETH (https://bitinfocharts.com/ethereum/)
$^{5}$ https://github.com/arthurgervais/pow_mdp

On the Just-In-Time Discovery of Profit-Generating Transactions in DeFi Protocols 论及时发现 DeFi 协议中的创利交易

Abstract 摘要

I. INTRODUCTION I.引言

Our contributions are as follows:我们的贡献如下

II. BACKGROUND II.背景情况

A. Decentralized Finance (DeFi)A.分散式融资（DeFi）

III. DEFi MODELING III.定义模型

A. System Model A.系统模型

B. Trader Model B.交易员模式

C. Notation C.符号

D. States D.国家

E. Transitions E.过渡

F. Objective F.目标

G. Base cryptocurrency assetG. 基础加密货币资产

H. DEFIPOSER Design ChoicesH.DEFIPOSER 设计选择

IV. Applying Negative Cycle Detection to DeFi ArbitrageIV.将负周期检测应用于 DeFi 套利

A. Negative Cycle Detection to Detect ArbitrageA.检测套利的负循环检测法

B. Negative Cycle Detection AlgorithmsB.负循环检测算法

V. DESIGN OF DEFIPOSER-SMTV.除颤器-SMT 的设计

A. Choosing an SMT Solver for DEFIPOSER-SMTA.为 DEFIPOSER-SMT 选择 SMT 仿真器

B. Path Pruning B.路径修剪

C. DEFIPOSER-SMT Revenue OptimizerC.DEFIPOSER-SMT 收入优化器

D. Comparing DEFIPOSER-SMT to DEFIPOSER-ARBD.DEFIPOSER-SMT 与 DEFIPOSER-ARB 的比较

E. Limitations E.限制条件

VI. EXPERIMENTAL EVALUATIONVI.实验评估

A. DEFIPOSER-ARB A.DEFIPOSER-ARB

B. DEFIPOSER-SMT B.DEFIPOSER-SMT

C. DEFIPOSER-ARB and DEFIPoSER-SMT: RevenueC.DEFIPOSER-ARB 和 DEFIPOSER-SMT：收入

VII. Profitable Transactions and BlocKchain SECURITYVII.盈利交易和 BlocKchain 安全性

A. Economic bZx Attack A.经济型 bZx 攻击

B. MEV, an MDP and Optimal Adversarial StrategiesB.MEV、MDP 和最优对抗策略

VIII. RELATED WORK VIII.相关工作

IX. CONCLUSIONS IX.结论

ACKNOWLEDGMENTS 致谢

REFERENCES 参考文献

APPENDIX A 附录 A

SUMMARY OF THE ERC-20 CRYPTOCURRENCY ASSETSerc-20 加密货币资产概要

APPENDIX B SUPPORTED DEFi ACTIONS附录 B 支持的行动

ApPendiX C SMT ENCODING EXAMPLEApPendiX C smt 编码示例

Objective encoding: 客观编码：

APPENDIX D Z3 PATH PRUNING附录 D z3 路径修剪

Appendix E CONCRETE ENCODING EXAMPLE FOR Z3附录 E Z3 混凝土配筋示例

A. Initial state encodingA.初始状态编码

B. Action encoding B.动作编码

C. Objective encoding C.客观编码

APPENDIX F OPTIMIZER FOR THE SMT SOLVER附录 F Smt 求解器的优化器

APPENDIX G State Dependency附录 G 国家依赖性

APPENDIX H BZX附录 H BZX

On the Just-In-Time Discovery of Profit-Generating Transactions in DeFi Protocols
论及时发现 DeFi 协议中的创利交易

Our contributions are as follows:
我们的贡献如下

A. Decentralized Finance (DeFi)
A.分散式融资（DeFi）

G. Base cryptocurrency asset
G. 基础加密货币资产

H. DEFIPOSER Design Choices
H.DEFIPOSER 设计选择

IV. Applying Negative Cycle Detection to DeFi Arbitrage
IV.将负周期检测应用于 DeFi 套利

A. Negative Cycle Detection to Detect Arbitrage
A.检测套利的负循环检测法

B. Negative Cycle Detection Algorithms
B.负循环检测算法

V. DESIGN OF DEFIPOSER-SMT
V.除颤器-SMT 的设计

A. Choosing an SMT Solver for DEFIPOSER-SMT
A.为 DEFIPOSER-SMT 选择 SMT 仿真器

C. DEFIPOSER-SMT Revenue Optimizer
C.DEFIPOSER-SMT 收入优化器

D. Comparing DEFIPOSER-SMT to DEFIPOSER-ARB
D.DEFIPOSER-SMT 与 DEFIPOSER-ARB 的比较

VI. EXPERIMENTAL EVALUATION
VI.实验评估

C. DEFIPOSER-ARB and DEFIPoSER-SMT: Revenue
C.DEFIPOSER-ARB 和 DEFIPOSER-SMT：收入

VII. Profitable Transactions and BlocKchain SECURITY
VII.盈利交易和 BlocKchain 安全性

B. MEV, an MDP and Optimal Adversarial Strategies
B.MEV、MDP 和最优对抗策略

SUMMARY OF THE ERC-20 CRYPTOCURRENCY ASSETS
erc-20 加密货币资产概要

APPENDIX B
SUPPORTED DEFi ACTIONS
附录 B 支持的行动

ApPendiX C
SMT ENCODING EXAMPLE
ApPendiX C smt 编码示例

APPENDIX D
Z3 PATH PRUNING
附录 D z3 路径修剪

Appendix E CONCRETE ENCODING EXAMPLE FOR Z3
附录 E Z3 混凝土配筋示例

A. Initial state encoding
A.初始状态编码

APPENDIX F
OPTIMIZER FOR THE SMT SOLVER
附录 F Smt 求解器的优化器

APPENDIX G
State Dependency
附录 G 国家依赖性

APPENDIX H
BZX
附录 H BZX