1 of 27

Insecurity Through Obscurity: Veiled Vulnerabilities in Closed-Source Contracts

Sen Yang

DeFi Security Summit

Nov 20 2025

With Kaihua Qin, Aviv Yaish and Fan Zhang

1

2 of 27

Decentralized Finance

2

DeFi Application

Blockchain

3 of 27

MEV and MEV bots

3

Arbitrage

Liquidation

Sandwich

Other DeFi attacks

Identifying opportunity

Extracting value

MEV searchers

MEV bots

4 of 27

MEV bots

4

Screenshots from etherscan and eigenphi

Wealthy and Mysterious

5 of 27

Attacks against MEV bots

5

From 2021 to 2024 (or …?)

There is nothing new under the sun.

But, is it complete?

6 of 27

Overview

  • New attack vector: MEV phishing attacks
  • Challenges in identifying security issues
  • Our solution: SKANF

6

7 of 27

MEV phishing attacks

Why: the access control mechanism.

Ensuring security may be costly in blockchain systems.

7

~450 gas

8 gas

Should I use tx.origin?

8 of 27

MEV phishing attacks

Idea of MEV phishing attacks: be part of the MEV supply chain;

Thus, it can bypass tx.origin check.

8

Overall statistics:

    • We identify 104 attacks from July 2021 to April 2025
    • $2.76M in losses; the single largest attack: $636K
    • It includes three variants.

MEV Extraction

malicious tokens / pools / addresses

9 of 27

Token-based MEV-phishing attacks

Once searchers perform arbitrages involving a malicious token, the backdoor within the token is triggered to attack MEV bot.

9

10 of 27

Pool-based MEV-phishing attacks

Deploying a malicious pool to attract searchers to extract MEV.

10

11 of 27

Refund-based MEV-phishing attacks

Token and pool are not malicious. But searchers need to refund a malicious address if they want to backrun this opportunity.

11

12 of 27

Why it is hard to identify security issues?

MEV bots keep suffering losses.

12

Question: Why do they not use tools to secure their contracts?

😭

🤔

Or, what are the challenges to prevent them from being useful?

13 of 27

Challenge 1: control-flow obfuscation

  • Developers may introduce control-flow obfuscation intentionally or as a side effect of gas optimization.
  • Existing approaches no longer work in such smart contracts.

13

most of code cannot be analyzed by security tools

14 of 27

Challenge 2: the complexity of the contract

Even without obfuscation, the contract itself can still be very complex.

Analyzing tools may time out.

14

Logic is very complex

15 of 27

Challenge 3: pattern match cannot help

Is a partially controllable call vulnerable or not?

�This is hard to answer because we do not know what parts we can control or whether we can reach this call.

15

16 of 27

Idea: de-obfuscation

16

Control flow obfuscation: the jump destination is based on a runtime value (indirect jump)

Observation: EVM specifies that JUMPDEST should mark every legal jump destination

Therefore, we can manually collect all legal jump destinations and rewrite the instructions to make the control flow explicit.

17 of 27

Idea: prioritize exploration

  • A contract includes many execution paths
  • If we do a blind path exploration, it will be very slow for a complex contract.

17

State explosion

vulnerability

18 of 27

Idea: prioritize exploration

  • Observation: For smart contracts, we know their real-world execution traces!

18

Why do we not prioritize exploration based on these real-world traces?

19 of 27

Idea: prioritize exploration

We care about the vulnerability within the most frequent execution path.

19

historical transactions

vulnerability

20 of 27

Idea: identify all controllable / risky params

Combine taint analysis to identify all parameters that are controllable

20

SSSS

calldata

WETH.call

SSSS

a9059cbb

0000010000

Find a pattern that is not controllable but “risky”

transfer

Can be exploited by an adversary

21 of 27

Putting it together: SKANF

Symbolic Execution

21

Historical transactions

Smart Contract

De-obfuscation if it is obfuscated

Taint Analysis

Exploit

Potential Vulnerability

config (token, recipient, etc)

22 of 27

Evaluation: de-obfuscation

22

  • SKANF can significantly recover the control flow and thereby enhancing the efficacy of the static analysis tools.

23 of 27

Evaluation: vulnerability detection

  • Evaluation dataset: 6,554 MEV bots

  • Compared to other SOTA symbolic execution tools.
    • ETHBMC finds 0
    • JACKAL finds 18
    • Mythril finds 89
    • SKANF finds 1,030 vulnerable smart contracts
    • For 394 of them, SKANF successfully generate 394 exploits

    • We manually evaluate 100 of the cases where SKANF fails to generate exploits and find that exploit generation requires more sophisticated strategy.

23

24 of 27

Evaluation: vulnerability detection

  • If the vulnerable smart contracts were exploited, what would the potential loss be?

24

More than $10M

25 of 27

Evaluation: runtime

25

  • With the same time budget, SKANF can find more vulnerabilities than other state-of-the-art tools.

26 of 27

Summary

  • MEV-phishing attacks: token-based / pool-based / refund-based
    • New attack vectors against real-world MEV bots
  • Challenges of analyzing such contracts
    • Obfuscation / complexity / simple pattern match does not help
  • SKANF
    • De-obfuscation / historical transaction driven symbolic execution / taint analysis
    • Evaluation shows its efficacy in obfuscation and vulnerability detection.

26

27 of 27

Thank you!

Questions

27

Email: sen.yang@yale.edu / Twitter (X): syang2ng

arXiv link

blog post

https://syang.xyz