DeFi smart contracts face increasingly sophisticated control-flow attacks; existing defenses fail due to reliance on static rules, excessive gas overhead, and lack of runtime adaptability. This paper introduces, for the first time, control-flow integrity (CFI) to smart contract security, proposing a lightweight, real-time CFI mechanism. It dynamically generates transaction-level control-flow whitelists via control-flow graph modeling, augmented by runtime simplification heuristics and gas-aware validation—enabling automatic anomaly detection and transaction rollback with zero post-deployment configuration. The approach requires no prior knowledge of attack patterns, achieves a mere 0.28% false positive rate, and incurs negligible average gas overhead. Evaluated on 30 historically compromised DeFi protocols, it successfully blocked 28 real-world attacks. Our method significantly advances both the effectiveness and practicality of DeFi security enforcement.

Smart contracts power decentralized financial (DeFi) services but are vulnerable to complex security exploits that can lead to significant financial losses. Existing security measures often fail to adequately protect these contracts due to the composability of DeFi protocols and the increasing sophistication of attacks. Through a large-scale empirical study of historical transactions from the 30 hacked DeFi protocols, we discovered that while benign transactions typically exhibit a limited number of unique control flows, in stark contrast, attack transactions consistently introduce novel, previously unobserved control flows. Building on these insights, we developed CrossGuard, a novel framework that enforces control flow integrity in real-time to secure smart contracts. Crucially, CrossGuard does not require prior knowledge of specific hacks; instead, it dynamically enforces control flow whitelisting policies and applies simplification heuristics at runtime. This approach monitors and prevents potential attacks by reverting all transactions that do not adhere to the established control flow whitelisting rules. Our evaluation demonstrates that CrossGuard effectively blocks 28 of the 30 analyzed attacks when configured only once prior to contract deployment, maintaining a low false positive rate of 0.28% and minimal additional gas costs. These results underscore the efficacy of applying control flow integrity to smart contracts, significantly enhancing security beyond traditional methods and addressing the evolving threat landscape in the DeFi ecosystem.