Bad Apples: Understanding the Centralized Security Risks in Decentralized Ecosystems

The blockchain-powered decentralized applications and systems have been widely deployed in recent years. The decentralization feature promises users anonymity, security, and non-censorship, which is especially welcomed in the areas of decentralized finance and digital assets. From the perspective of most common users, a decentralized ecosystem means every service follows the principle of decentralization. However, we find that the services in a decentralized ecosystem still may contain centralized components or scenarios, like third-party SDKs and privileged operations, which violate the promise of decentralization and may cause a series of centralized security risks. In this work, we systematically study the centralized security risks existing in decentralized ecosystems. Specifically, we identify seven centralized security risks in the deployment of two typical decentralized services – crypto wallets and DApps, such as anonymity loss and overpowered owner. Also, to measure these risks in the wild, we designed an automated detection tool called Naga and carried out large-scale experiments. Based on the measurement of 28 Ethereum crypto wallets (Android version) and 110,506 on-chain smart contracts, the result shows that the centralized security risks are widespread. Up to 96.4% of wallets and 83.5% of contracts exist at least one security risk, including 260 well-known tokens with a total market cap of over $98 billion.