PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts

TL;DR

PoCo is an innovative agentic framework that automatically generates executable proof-of-concept exploits from natural-language vulnerability descriptions, streamlining smart contract security audits and reducing manual effort.

Contribution

This paper introduces PoCo, the first agentic system that autonomously creates executable PoC exploits from natural language, enhancing efficiency in smart contract security auditing.

Findings

PoCo outperforms baseline methods in generating correct PoCs.

PoCo produces exploits compatible with Foundry testing framework.

Automated PoC generation reduces manual effort in audits.

Abstract

Smart contracts operate in a highly adversarial environment, where vulnerabilities can lead to substantial financial losses. Thus, smart contracts are subject to security audits. In auditing, proof-of-concept (PoC) exploits play a critical role by demonstrating to the stakeholders that the reported vulnerabilities are genuine, reproducible, and actionable. However, manually creating PoCs is time-consuming, error-prone, and often constrained by tight audit schedules. We introduce PoCo, an agentic framework that automatically generates executable PoC exploits from natural-language vulnerability descriptions written by auditors. PoCo autonomously generates PoC exploits in an agentic manner by interacting with a set of codeexecution tools in a Reason-Act-Observe loop. It produces fully executable exploits compatible with the Foundry testing framework, ready for integration into audit reports and other security tools. We evaluate PoCo on a dataset of 23 real-world vulnerability reports. PoCo consistently outperforms the Zero-shot and Workflow baselines, generating well-formed and logically correct PoCs. Our results demonstrate that agentic frameworks can significantly reduce the effort required for high-quality PoCs in smart contract audits. Our contribution provides actionable knowledge for the smart contract security community.