Financial Innovation and Technology Gurdip Kaur Arash Habibi Lashkari Iman Sharafaldin Ziba Habibi Lashkari Understanding Cybersecurity Management in Decentralized Finance Challenges, Strategies, and Trends Financial Innovation and Technology Thebookseries‘FinancialInnovationandTechnology’featuresscholarlyresearch onthelatestdevelopmentsintheworldoffinancesuchasAI,FinTechstartups,Big Data, Cryptocurrencies, Robo-Advisors, Machine Learning, and Blockchain appli- cations among others. The book series explores the main trends and technologies that will transform the finance industry in the years to come. The series presents essentialinsightsintothefinancialtechnologyrevolution,andthedisruption,inno- vation, and opportunity it entails. The books in this series will be of value to both academicsandthoseworkinginthefinanceindustry. (cid:129) (cid:129) Gurdip Kaur Arash Habibi Lashkari (cid:129) Iman Sharafaldin Ziba Habibi Lashkari Understanding Cybersecurity Management in Decentralized Finance Challenges, Strategies, and Trends GurdipKaur ArashHabibiLashkari SaintJohn,NB,Canada SchoolofInformationTechnology YorkUniversity Toronto,ON,Canada ImanSharafaldin ZibaHabibiLashkari ApplicationSecurity SchoolofComputerEngineering ForwardSecurityInc UniversidadPolitécnicadeMadrid Vancouver,BC,Canada Madrid,Spain ISSN2730-9681 ISSN2730-969X (electronic) FinancialInnovationandTechnology ISBN978-3-031-23339-5 ISBN978-3-031-23340-1 (eBook) https://doi.org/10.1007/978-3-031-23340-1 ©TheEditor(s)(ifapplicable)andTheAuthor(s),underexclusivelicensetoSpringerNatureSwitzerland AG2023 Thisworkissubjecttocopyright.AllrightsaresolelyandexclusivelylicensedbythePublisher,whether thewholeorpartofthematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseof illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similarordissimilarmethodologynowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. The publisher, the authors, and the editorsare safeto assume that the adviceand informationin this bookarebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressedorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Preface This book is one piece of the Understanding Cybersecurity Series (UCS) research program, which will produce a varied collection of cybersecurity resources for researchersandreadersofallbackgrounds.Theteamreleasedthefirstonlinearticle seriesinthispiece,entitled“UnderstandingCanadianCybersecurityLaws,”in2020. Flowingfromthesuccessofthisfirstarticleseries,theteamwasrecognizedwitha Gold Medal for Best Blog Column in the Business Division at the 2020 Canadian OnlinePublishingAwards.Theresearchcontinued withthepublicationofthefirst book, “Understanding Cybersecurity Law and Digital Privacy: A Common Law Perspective,”publishedbySpringerNatureSwitzerlandAGin2021.Inparallel,the team released the second article series entitled “Understanding cybersecurity man- agement for FinTech (UCMF)” in 2021 and published the second related book entitled“UnderstandingCybersecurityManagementinFinTech:Challenges,Strat- egies, and Trends.” This book emphasizes the importance of cybersecurity for financial institutions by illustrating recent cyber breaches, attacks, and financial losses. Starting in 2022, the UCS team began the third online series, “Understanding Current Cybersecurity Challengesin Law,” which contains six parts andaddresses many of the emerging trends and larger legal issues pertaining to cybersecurity around the world, including the determination of digital jurisdictional authority, user-generated digital content ownership, and other topics. This series continues withthepublicationofthethirdbookentitled“UnderstandingCybersecurityLawin DataSovereigntyandDigitalGovernance:AnOverviewfromaLegalPerspective” which focuses on the nuanced and comprehensive understanding of current cyber- security challenges and the law to the greater community and increases public awarenessoftheseimportantissuesinourrapidlychangingdigitalworld.Inparallel, the team worked on this book which delves into understanding cyber threats and adversaries who can exploit those threats and advances with cybersecurity threats, vulnerability, and risk management in DeFi. The main objective of this book is to help readers understand the cyber threat landscape comprising different threat categories that can exploit different types of vulnerabilities identified in DeFi. It v vi Preface putsforwardprominentthreatmodeling strategiesbyfocusingonattackers, assets, andsoftware. SaintJohn,NB,Canada GurdipKaur Toronto,ON,Canada ArashHabibiLashkari Vancouver,BC,Canada ImanSharafaldin Madrid,Spain ZibaHabibiLashkari Introduction Decentralized Finance (DeFi) is an emerging financial technology based on secure distributed ledgers like those used by cryptocurrencies, including stablecoins, soft- ware, and hardware that enables the development of applications. It is the most significant and fastest-growing application of blockchain and smart contracts tech- nology, with the ability to revolutionize the financial sector by offering decentralized, blockchain-based alternatives to traditional financial services. How- ever, the large amount of value invested in DeFi smart contracts also makes them common targets of attack, and given the relative immaturity of the DeFi sector, vulnerabilitiesarecommonplace. This book presents an overview of the history of finance and the evolution of decentralizedfinancealongwithsmartcontracts’historyandfundamentalbuilding blocks. Since decentralized finance infrastructures are the worst affected by cyber- attacks,itisimperativetounderstandvarioussecurityissuesindifferentcomponents of DeFi infrastructures and propose measures to secure all components of DeFi infrastructures.Also,itbringsdetailedcybersecuritypoliciesandstrategiesthatcan be used to secure financial institutions and recommendations to secure DeFi infra- structuresfromcyber-attackssuchasDoubleSpendingAttack,FinneyAttack,Race Attack,BalanceAttack,Long-RangeAttack,DDoSattack,andothers. vii Acknowledgement AcknowledgementforallofthosefightingforWomen,Life,andFreedom. ix Contents 1 TheOriginofModernDecentralizedFinance. . . . . . . . . . . . . . . . . . 1 1.1 ABriefHistoryofFinance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 IntroductiontoFinTech. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 KeyProblemsofCentralizedFinancialSystem. . . . . . . . . . . . . . 6 1.4 IntroductiontoCrypto-BasedFinance. . . . . . . . . . . . . . . . . . . . 8 1.4.1 RootsofDeFi. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4.2 ExamplesofDeFi. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.4.3 AdvantagesofDeFiEcosystem. . . . . . . . . . . . . . . . . . . 11 1.5 Bitcoin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.5.1 CharacteristicsofBitcoinEcosystem. . . . . . . . . . . . . . . 14 1.5.2 HistoryofBitcoin. . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.6 SmartContract-BasedBlockchains.. . . . . . .. . . . . . .. . . . . . .. 15 1.7 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2 IntroductiontoSmartContractsandDeFi. . . . . . . . . . . . . . . . . . . . 29 2.1 HistoryofSmartContracts. . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2 FundamentalsofSmartContracts. . . . . . . . . . . . . . . . . . . . . . . . 31 2.2.1 CreatingFirstSmartContract. . . . . . . . . . . . . . . . . . . . 33 2.3 TheOperationProcessofSmartContracts. . . . . . . . . . . . . . . . . 37 2.3.1 TechnicalOperationalProcess. . . . . . . . . . . . . . . . . . . 42 2.4 HowCanWeUseSmartContracts. . . . . . . . . . . . . . . . . . . . . . 44 2.5 BenefitsandProblemsofSmartContracts. . . . . . . . . . . . . . . . . 46 2.6 IntroductiontoDeFi. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2.6.1 DeFiCharacteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.6.2 DeFivsCeFi. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.7 DeFiApplications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.7.1 DeFiExchanges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.7.2 LendingPools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 2.7.3 Derivatives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 xi