14 min read

Game Theoretic Cyber Deception in DeFi

Game Theoretic Cyber Deception in DeFi

1 Introduction

Decentralized Finance (DeFi) [32] is a financial paradigm built on blockchain technologies, which facilitates peer-to-peer transactions without centralized, institutional intermediary authority. DeFi services exist on most major blockchains that support smart contracts [31], and offer a wide range of services, including lending, borrowing, trading, and asset management. Due to the breadth and flexibility of financial services offered, DeFi platforms have grown in popularity for retail cryptocurrency investors, as well as with institutional investors who are exploring cryptocurrency-related business opportunities [21]. Irrespective of which blockchain a DeFi platform is located on, all DeFi protocols rely on smart contracts. Smart contracts are self-executing programs which automate transactions based on predefined rules. However, DeFi is a relatively new world which has been populated by early adopters, and whose priorities revolve around making timely and profitable transactions; it is to be expected that bad actors would be attracted to these platforms [41].

This article explores the use of game theoretic cyber deception [23] as a cybersecurity strategy for the DeFi ecosystem. Cyber deception refers to creating false information to mislead attackers, either wasting their time or manipulating their behavior; it is a promising approach to network security. Deception strategies have famously been deployed against adversaries in military operations throughout history, and these successes give hope that cyber deception strategies will prove effective in mitigating the risks posed by malicious actors in the DeFi space. Game theory [19] is a branch of mathematics which models and quantifies strategic decision making, focusing on maximizing rewards and minimizing losses.

The remainder of this article is organized as follows: Section 2 presents background information, including on the DeFi ecosystem, a terse introduction to game theory, and a brief survey of cyber deception. Section 3 discusses cyber deception in the DeFi space, and concluding remarks are given in Section 4.

2 Background

2.1 Decentralized Finance

Traditional financial [24] systems rely on gatekeeping and trusted, centralized authorities to oversee all aspects of transactions, valued on the order of trillions of Dollars each day. DeFi [31] on the other hand, is designed for transactions which take place on blockchain networks which support smart contracts (e.g., Ethereum, Cardano, Algorand, etc.). DeFi platforms are designed to operate on trustless networks, and exhibit almost no gatekeeping. DeFi services process daily transactions valued at more than hundreds of billions of Dollars–a substantial amount of money, but dwarfed by the traditional financial ecosystem.

Just as there are malicious actors within traditional finance, DeFi has attracted a criminal element who blend in with legitimate users [41]. Criminal actors [38] in the DeFi space may be attempting to launder ill gotten crypto from elsewhere, but many bad actors are actively trying to steal funds from honest users. Examples of attackers attempting to steal funds from others on the DeFi platform may include:

  • Flash loans [7], where an attacker exploits the protocol by borrowing large, uncollateralized loans in order to manipulate asset values and drain liquidity pools;
  • Rug pulls [35] and honeypot traps [10], where an adversarial actor creates a fraudulent DeFi project which artificially inflates the value of native tokens, and then promptly abandons the project leaving victims with worthless tokens (“Honeypot” is a term with multiple meanings, depending on the context. Within DeFi the security literature, a honeypot usually refers to a type of scam that is similar to a rug pull. Henceforth, we use the term exclusively to refer to a cyber deception technology.);
  • Vulnerable smart contract code exploitation [30], where bugs and errors are discovered within smart contract code, and an adversary uses these vulnerabilities to steal funds, manipulate the protocol, or otherwise disrupt the platform’s standard functions.

2.2 Game Theory

Game theory [19] is a branch of mathematics which formalizes and quantifies strategic decision making. It was developed by John Nash and others in the mid Twentieth Century, and has heavily influenced many other fields, including computer science [28], economics [29], logic [5], and even the biological sciences [11]. Players in such a game seek an equilibrium [15], that is, a scenario where each player has chosen an optimal strategy and no player would benefit from changing their gameplay strategy.

Game theorists have developed many classes of games; however, we will cover three classes of games which are relevant to cyber deception.

  • Stackelberg games [4] involve a leader and a follower, with each player taking an action in sequence (i.e. the leader makes their move, then the follower responds, and so on).;
  • Nash games [13] occur when players make their moves simultaneously, implying that each player is committed to their strategy without prior knowledge of their opponent’s move;
  • Signaling games [34] have a sender and a receiver, with the sender having access to information that the receiver does not. The sender may be benign or malicious, and the receiver’s goal is to determine whether the sender is benign or malicious. 

There are many real world or logical games which can be mapped directly to these classifications. For instance, chess or checkers are plainly instances of Stackelberg games, while logic games like the prisoners’ dilemma [26] and knights and knaves [27] are instances of Nash games and Signal games, respectively.

2.3 Cyber Deception

One of the fundamental assumptions of communication is that of truthfulness [18]. Deceptions are instances where a sender intentionally passes a false message to a receiver, with the given purpose of the receiver developing a false belief state. Poker players will ‘bluff’ in order to intimidate an opponent into not playing a stronger hand [22]. In higher stakes circumstances, the Allied Forces staged elaborate deceptions in order to lure the NAZI forces away from Omaha Beach [33], and to lure Axis forces away from Sicily [20].

Cyber deception strategies could be classified as active security (as opposed to traditional, passive security strategies) [6]. A cyber deception strategy seeks to manipulate what an adversary learns during the reconnaissance phase of an attack. Common deception methodologies include [23]:

  • Moving target defenses reconfigure network assets, including defensive tools, in order to hamstring what an adversary can learn during attack reconnaissance;
  • Mixing involves utilizing exchange systems in order to prevent an adversary from learning direct linkages between systems;
  • Perturbation defenses insert noise in order to limit the leakage of sensitive network information;
  • Honey-X defenses use technologies such as honeypots, honeynets, and honey patches which appear to the attacker as legitimate network assets, but include advanced monitoring capabilities that allow defenders to observe and learn information about the attacker;
  • Obfuscation wastes an attacker’s time by directing them to decoys, as opposed to legitimate network assets, or intermixing fraudulent information with legitimate files;
  • Attacker engagement defenses use active feedback to waste an attacker’s time and allow network administrators an opportunity to conduct defensive operations.

3 Game Theoretic Cyber Deception

Cyber deception strategies have not been deployed in the DeFi sector at any notable scale. In fact, searching through services like Google Scholar with search terms like “cyber deception, decentralized finance” turn up refereed research papers on common schemes that attackers may use to steal funds from legitimate users. Refining search terms to “blockchain honeypot” return a few articles describing honeypots used for blockchain security; however, the overwhelming majority of search results relate to scams targeting legitimate users. The use of cyber deception strategies as a tool to fight scammers and other criminals who target DeFi users will be fertile ground for research and development for the foreseeable future. We will therefore primarily discuss several possible possibilities for integrating cyber deception capabilities into DeFi security.

3.1 Honeypots

Honeypots [16] are relatively mature technologies, and “high interaction” honeypots which could be used to create fake smart contracts and DeFi protocols which look attractive to an attacker. High interaction honeypots provide attackers with real, live systems to attack, as opposed to “low interaction” honeypots. High interaction honeypots have seen real world deployment across a variety of sectors, including enterprise networks [17], as well as Internet of Things [9], and even within more fragile networks as would be found in industrial control systems [8].

Hara, et al. [12] developed honeypots to mimic vulnerable nodes on the Ethereum blockchain in order to understand the behavior of malicious users on the network. They created vulnerable GETH nodes on an Ethereum Testnet with an open port that is used on both the Mainnet and Testnet. They were able to correlate certain network traffic with known malicious IP addresses. Moreover, the authors were able to trace some network traffic to IP addresses which communicate with dark web entities for attacks on the Ethereum blockchain. More recently, Uchibori, et al. [36] demonstrated a remote procedure call (RPC) honeypot, which associated itself with Ethereum wallets of variable values. This experimentation led the authors to develop new RPC responses to reduce the risk of cryptocurrency theft by the attacks that they observed.

As honeypot technology has matured and seen real world deployment, the science of honeypot detection has matured as well. Companies like Shodan [1] market capabilities to score the likelihood that an IP address belongs to a honeypot versus a legitimate network asset. This has led to a great deal of research in making it more difficult to discern between the two, whether that involves making a honeypot look more like a legitimate asset or making a legitimate asset look more like a honeypot [3, 2].

For a game theoretic analysis of honeypots in this scenario, consider a simplified two-player game where the defender deploys a honeypot (H) alongside a legitimate asset (NH), and the attacker chooses whether to attack the legitimate asset (LA), the honeypot (HA) (not knowing that it is a honeypot), or not attack either. These interactions can be modeled with a payoff matrix (Figure 1) where DL represents the defender’s loss if a legitimate asset is attacked, AG represents the attacker’s gain by attacking a legitimate asset, DG represents the defender’s gain by learning information about the attacker through the honeypot, info denotes a loss for the attacker due to wasted time attacking the honeypot, DN represents a loss value for both parties if no attack occurs.

Figure 1: A profit matrix for honeypot deployment.

3.2 Misinformation

Defenders can use strategic misinformation campaigns [42] (for instance, spreading fraudulent information in dark web forums where malicious actors are known to congregate) which will lead attackers into false belief states about the DeFi protocol. This might lead an attacker to deploy an ineffective attack, or even discourage them from attacking altogether.

This game can be modeled with a payoff matrix where the defender chooses to spread misinformation (M) or not (NM), and the attacker decides whether to attack a vulnerable protocol (V) or a non-vulnerable protocol. DM denotes the defender’s cost of deploying misinformation, cost refers to the attacker’s wasted time and resources after being led to attack a non-vulnerable protocol by the misinformation campaign. DV denotes the defender’s loss if the attacker targets a vulnerable protocol, and AG represents the attacker’s gain from attacking the vulnerable protocol. As above, DN denotes a loss value for both parties if there is no attack. Game theoretic analysis will inform defenders as to the effectiveness of misinformation campaigns based on the cost of the campaign and its potential for deterring attacks.

Figure 2: A profit matrix for deployment of a misinformation campaign.

3.3 Obfuscation

Blockchains and distributed ledger technology are renowned for the transparency and immutability of transaction records, so it is an open question whether obfuscation is a legitimate strategy for defending against bad actors on DeFi platforms. For instance, could a defender create misleading or fake transaction data onto a blockchain network in order to obscure legitimate activity within a DeFi exchange. Such a strategy would make it more difficult for attackers to manipulate markets or find and exploit vulnerable protocols. However, the deployment of obfuscation strategies on a blockchain runs the risk of reducing trust in the DeFi platform among legitimate traders, and so this approach might end up being counterproductive.

3.4 Attacker Engagement

Recent advances in artificial intelligence, in particular the explosion of chatbots thanks to large language models (LLMs) [39], present defenders with new opportunities for attacker engagement. LLM-based chatbots are trained to generate realistic and truthful looking outputs; however, these technologies do not have any actual concern with ground truth [14]. Often called “hallucinations,” these realistic looking generations have led to embarrassing episodes. Several lawyers have been sanctioned for using LLMs to write legal briefs that included erroneous case law ([37]for example). In another incident, an article from a refereed journal was lampooned and retracted when it became apparent that the authors used a LLM chatbot to write a convincing introductory section of their article [40].

There is a growing body of research on how well LLM-based chatbots can mimic network assets to waste an attacker’s time. For instance, Ragsdale and Boppana [25] propose a GPT-based honeypot which can more realistically mimic a legitimate network asset to engage with an attacker over a longer period, without increasing risk to the overall network. They conducted experimentation to compare their GPT honeypot against another, established honeypot that is available on the market. While their GPT honeypot generally was generally superior to the commercially available honeypot, they did note several limitations which require more research and development before LLM-based honeypots are ready for large scale deployment. These limitations include response timing, as well as non-deterministic and unverifiable response outputs (i.e. hallucinations) which could lead an attacker to believe that they are not interacting with a legitimate asset.

4 Conclusion

Decentralized ledger technologies such as blockchain networks and smart contract platforms are revolutionizing business operations across multiple sectors, bringing in new financial paradigms like DeFi. These new financial systems are built on smart contracts and mostly open, trustless networks are opening up an ecosystem for financial transactions to users who were previously shut out from many traditional financial systems. However, DeFi and blockchain networks have also attracted bad actors who seek financial benefits by stealing assets from legitimate, but often unsophisticated users. Despite the presence of these malicious users, DeFi platforms are booming, even attracting users from traditional financial institutions. However, developers must create robust defenses against bad actors to reduce the risks of cryptocurrency theft, as these thefts reduce trust in individual platforms, as well as the broader DeFi ecosystem.

In this article, we introduced the reader to game theoretic cyber deception, an active cybersecurity strategy which seeks to protect legitimate network assets and users by creating fake information that wastes an attacker’s time. We gave the user a high-level summary of cyber deception technologies, and explored the use of deception technologies in DeFi. This discussion included instances where deception tools have been deployed within real world blockchain networks, as well as several more speculative scenarios. This article demonstrates the potential that cyber deception technologies have to reduce risk within the DeFi ecosystem. However, the paucity of literature makes it clear that a great deal of research and development remains to be done on the capabilities, limitations, and risks of deploying cyber deception strategies within DeFi.

References

[1] Honeypot or not? https://honeyscore.shodan.io/.

[2] Bilinski, M., DiVita, J., Ferguson-Walter, K., Fugate, S., Gabrys, R., Mauger, J., and Souza, B. Lie another day: demonstrating bias in a multi-round cyber deception game of questionable veracity. In International Conference on Decision and Game Theory for Security (2020), Springer, pp. 80–100.

[3] Bilinski, M., Ferguson-Walter, K., Fugate, S., Gabrys, R., Mauger, J., and Souza, B. You only lie twice: A multi-round cyber deception game of questionable veracity. In International Conference on Decision and Game Theory for Security (2019), Springer, pp. 65–84.

[4] Bruckner, M., and Scheffer, T. Stackelberg games for adversarial prediction problems. In Proceedings of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining (2011), pp. 547–555.

[5] Bruin, B. d. Game theory in philosophy. Topoi 24, 2 (2005), 197–208.

[6] Bushby, A. How deception can change cyber security defences. Computer Fraud & Security 2019, 1 (2019), 12–14.

[7] Cao, Y., Zou, C., and Cheng, X. Flashot: a snapshot of flash loan attack on defi ecosystem. arXiv preprint arXiv:2102.00626 (2021).

[8] Cifranic, N., Hallman, R. A., Romero-Mariona, J., Souza, B., Calton, T., and Coca, G. Decepti-scada: A cyber deception framework for active defense of networked critical infrastructures. Internet of Things 12 (2020), 100320.

[9] Franco, J., Aris, A., Canberk, B., and Uluagac, A. S. A survey of honeypots and honeynets for internet of things, industrial internet of things, and cyber-physical systems. IEEE Communications Surveys & Tutorials 23, 4 (2021), 2351–2383.

[10] Gan, R., Wang, L., and Lin, X. Why trick me: The honeypot traps on decentralized exchanges. In Proceedings of the 2023 Workshop on Decentralized Finance and Security (2023), pp. 17–23.

[11] Hammerstein, P., and Selten, R. Game theory and evolutionary biology. Handbook of game theory with economic applications 2 (1994), 929–993.

[12] Hara, K., Sato, T., Imamura, M., and Omote, K. Profiling of malicious users using simple honeypots on the ethereum blockchain network. In 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC) (2020), IEEE, pp. 1–3.

[13] Harker, P. T. Generalized nash games and quasi-variational inequalities. European journal of Operational research 54, 1 (1991), 81–94.

[14] Hicks, M. T., Humphries, J., and Slater, J. Chatgpt is bullshit. Ethics and Information Technology 26, 2 (2024), 38.

[15] Hirshleifer, J. Equilibrium Concepts in Game Theory: The Need for Dynamics. UCLA, Department of Economics, 1983.

[16] Ilg, N., Duplys, P., Sisejkovic, D., and Menth, M. Survey of contemporary open-source honeypots, frameworks, and tools. Journal of Network and Computer Applications (2023), 103737.

[17] Jafarian, J. H., and Niakanlahiji, A. Delivering honeypots as a service. In HICSS (2020), pp. 1–10.

[18] Levine, T. R. Truth-default theory (tdt) a theory of human deception and deception detection. Journal of Language and Social Psychology 33, 4 (2014), 378–392.

[19] Leyton-Brown, K., and Shoham, Y. Essentials of game theory: A concise multidisciplinary introduction. Springer Nature, 2022.

[20] Macintyre, B. Operation mincemeat: how a dead man and a bizarre plan fooled the nazis and assured an allied victory. Crown, 2011.

[21] Mordor Intelligence. Decentralized finance (defi) market size share analysis - growth trends forecast (2024-2029), 2024. https://www.mordorintelligence.com/industry-reports/decentralized-finance-defi-market.

[22] Palom ̈aki, J., Yan, J., and Laakasuo, M. Machiavelli as a poker mate—a naturalistic behavioural study on strategic deception. Personality and Individual Differences 98 (2016), 266–271.

[23] Pawlick, J., Colbert, E., and Zhu, Q. A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy. ACM Computing Surveys (CSUR) 52, 4 (2019), 1–28.

[24] Qin, K., Zhou, L., Afonin, Y., Lazzaretti, L., and Gervais, A. Cefi vs. defi–comparing centralized to decentralized finance. arXiv preprint arXiv:2106.08157 (2021).

[25] Ragsdale, J., and Boppana, R. V. On designing low-risk honeypots using generative pre-trained transformer models with curated inputs. IEEE Access 11 (2023), 117528–117545.

[26] Rapoport, A., and Chammah, A. M. Prisoner’s dilemma: A study in conflict and cooperation, vol. 165. University of Michigan press, 1965.

[27] Rips, L. J. The psychology of knights and knaves. Cognition 31, 2 (1989), 85–116.

[28] Roughgarden, T. Algorithmic game theory. Communications of the ACM 53, 7 (2010), 78–86.

[29] Samuelson, L. Game theory in economics and beyond. Journal of Economic Perspectives 30, 4 (2016), 107–130.

[30] Sayeed, S., Marco-Gisbert, H., and Caira, T. Smart contract: Attacks and protections. Ieee Access 8 (2020), 24416–24427.

[31] Schar, F. Decentralized finance: On blockchain-and smart contract-based financial markets. FRB of St. Louis Review (2021).

[32] Schueffel, P. Defi: Decentralized finance-an introduction and overview. Journal of Innovation Management 9, 3 (2021), I–XI.

[33] Smith, T. J. Overlord/bodyguard: Intelligence failure through adversary deception. International Journal of Intelligence and CounterIntelligence 27, 3 (2014), 550–568.

[34] Sobel, J. Signaling games. Complex social and behavioral systems: Game theory and agent-based models (2020), 251–268.

[35] Sun, D., Ma, W., Nie, L., and Liu, Y. Sok: Comprehensive analysis of rug pull causes, datasets, and detection tools in defi. arXiv preprint arXiv:2403.16082 (2024).

[36] Uchibori, H., Yoshioka, K., and Omote, K. Honeypot method to lure attackers without holding crypto-assets. IEEE Access (2024).

[37] Weiser, B., and Schweber, N. The chatgpt lawyer explains himself. The New York Times (June 8, 2023). https://www.nytimes.com/2023/06/08/nyregion/lawyer-chatgpt-sanctions.html.

[38] Wronka, C. Financial crime in the decentralized finance ecosystem: new challenges for compliance. Journal of Financial Crime 30, 1 (2023), 97–113.

[39] Yao, Y., Duan, J., Xu, K., Cai, Y., Sun, Z., and Zhang, Y. A survey on large language model (llm) security and privacy: The good, the bad, and the ugly. High-Confidence Computing (2024), 100211.

[40] Zhang, M., Wu, L., Yang, T., Zhu, B., and Liu, Y. Retracted: The three-dimensional porous mesh structure of cu-based metal-organic-framework - aramid cellulose separator enhances the electrochemical performance of lithium metal anode batteries. Surfaces and Interfaces 46 (2024), 104081.

[41] Zhou, L., Xiong, X., Ernstberger, J., Chaliasos, S., Wang, Z., Wang, Y., Qin, K., Wattenhofer, R., Song, D., and Gervais, A. Sok: Decentralized finance (defi) attacks. In 2023 IEEE Symposium on Security and Privacy (SP) (2023), IEEE, pp. 2444–2461.

[42] Zhu, M., Anwar, A. H., Wan, Z., Cho, J.-H., Kamhoua, C. A., and Singh, M. P. A survey of defensive deception: Approaches using game theory and machine learning. IEEE Communications Surveys & Tutorials 23, 4 (2021), 2460–2493.