Abstract
Smart contract vulnerabilities continue to cause significant financial losses, despite the implementation of security measures such as manual audits and bug bounty platforms. A critical component often required by these security measures is the proof-of-concept (PoC) exploit, which validates vulnerability exploitability, assesses impact severity, and guides developers in fixes. Existing tools have explored automated PoC generation with techniques like symbolic execution, fuzzing, and program synthesis. However, these approaches frequently fail to generate PoCs for vulnerabilities exploited in real-world incidents, primarily due to their limitations in handling complex transaction dependencies, navigating vast on-chain state spaces, or requiring extensive manual specifications. Our migration-based approach extracts critical information from documented security incidents and applies it to generate PoCs for similar vulnerable code. This approach leverages proven exploit patterns rather than generating PoCs from scratch. This approach is motivated by two key observations: the prevalence of code reuse in smart contracts (up to 90% at the function level) and the increasing availability of documented PoCs for real-world incidents. Our approach operates in three phases: (1) abstracting essential components (i.e., environment properties, attack logic, and verification checks) from existing PoCs into templates, (2) given a new target contract, selecting suitable templates with adapted values through clone-detection and property-feasibility analysis, and (3) generating and validating PoCs in simulated environments. Our evaluation demonstrates effectiveness and efficiency across multiple scales. Our approach successfully generates valid PoCs for 62 out of 67 manually validated cases without false positives and completes analysis in 3.8 hours compared to 133.2 and 210.5 hours required by existing tools. Large-scale evaluation on 979,512 contracts identifies 256 vulnerable contracts across blockchain networks with 64 cross-chain cases, demonstrating real-world applicability.
| Original language | English |
|---|---|
| Title of host publication | 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025: Proceedings |
| Publisher | IEEE |
| Pages | 52-64 |
| Number of pages | 13 |
| ISBN (Electronic) | 9798350357332 |
| DOIs | |
| Publication status | Published - Nov 2025 |
| Event | 2025 40th IEEE/ACM International Conference on Automated Software Engineering - Seoul, Korea, Republic of Duration: 16 Nov 2025 → 20 Nov 2025 |
Publication series
| Name | IEEE/ACM International Conference on Automated Software Engineering |
|---|---|
| Publisher | IEEE |
| ISSN (Print) | 1938-4300 |
| ISSN (Electronic) | 2643-1572 |
Conference
| Conference | 2025 40th IEEE/ACM International Conference on Automated Software Engineering |
|---|---|
| Abbreviated title | ASE 2025 |
| Country/Territory | Korea, Republic of |
| City | Seoul |
| Period | 16/11/25 → 20/11/25 |
Funding
This research is supported by the National Research Foundation, Singapore, and DSO National Laboratories under the AI Singapore Programme (AISG Award No: AISG4-GC-2023-008-1B); by the National Research Foundation Singapore and the Cyber Security Agency under the National Cybersecurity R&D Programme (NCRP25-P04-TAICeN); and by the Prime Minister’s Office, Singapore under the Campus for Research Excellence and Technological Enterprise (CREATE) Programme.
Keywords
- Smart Contract Security
- Proof-of-Concept Exploits
- Real-World Incidents