From Transactions to Exploits: Automated PoC Synthesis for Real-World DeFi Attacks

TL;DR

This paper introduces TracExp, an automated framework that synthesizes verifiable proof-of-concept exploits for real-world DeFi attacks by reverse engineering transaction traces and leveraging large language models, significantly reducing manual effort.

Contribution

The work presents the first automated method for generating exploitable PoCs from on-chain attack traces using trace-driven reverse engineering and LLM-based code generation.

Findings

Successfully synthesizes PoCs for 93% of real-world attacks

Achieves 58.78% direct verifiability of generated PoCs

Cost-effective with an average of $0.07 per case

Abstract

Blockchain systems are increasingly targeted by on-chain attacks that exploit contract vulnerabilities to extract value rapidly and stealthily, making systematic analysis and reproduction highly challenging. In practice, reproducing such attacks requires manually crafting proofs-of-concept (PoCs), a labor-intensive process that demands substantial expertise and scales poorly. In this work, we present the first automated framework for synthesizing verifiable PoCs directly from on-chain attack executions. Our key insight is that attacker logic can be recovered from low-level transaction traces via trace-driven reverse engineering, and then translated into executable exploits by leveraging the code-generation capabilities of large language models (LLMs). To this end, we propose TracExp, which localizes attack-relevant execution contexts from noisy, multi-contract traces and introduces a novel dual-decompiler to transform concrete executions into semantically enriched exploit pseudocode. Guided by this representation, TracExp synthesizes PoCs and refines them to preserve exploitability-relevant semantics. We evaluate TracExp on 321 real-world attacks over the past 20 months. TracExp successfully synthesizes PoCs for 93% of incidents, with 58.78% being directly verifiable, at an average cost of only \$0.07 per case. Moreover, TracExp enabled the release of a large number of previously unavailable PoCs to the community, earning a $900 bounty and demonstrating strong practical impact.