![[2511.02780] PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2511.02780] PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts
Summary
The paper presents PoCo, an automated framework for generating proof-of-concept exploits for smart contracts, enhancing security audits by reducing manual effort and error rates.
Why It Matters
As smart contracts face increasing scrutiny due to vulnerabilities that can lead to significant financial losses, PoCo offers a solution that automates the generation of proof-of-concept exploits. This innovation can streamline security audits, making them more efficient and reliable, which is crucial in the rapidly evolving landscape of blockchain technology.
Key Takeaways
- PoCo automates the generation of proof-of-concept exploits from natural-language vulnerability descriptions.
- The framework operates within a Reason-Act-Observe loop, enhancing the efficiency of exploit generation.
- Evaluation shows PoCo outperforms existing baselines in producing high-quality, executable exploits.
- This tool can significantly reduce the time and effort required for security audits of smart contracts.
- The research contributes valuable insights to the smart contract security community.
Computer Science > Cryptography and Security arXiv:2511.02780 (cs) [Submitted on 4 Nov 2025 (v1), last revised 23 Feb 2026 (this version, v3)] Title:PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts Authors:Vivi Andersson, Sofia Bobadilla, Harald Hobbelhagen, Martin Monperrus View a PDF of the paper titled PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts, by Vivi Andersson and 3 other authors View PDF HTML (experimental) Abstract:Smart contracts operate in a highly adversarial environment, where vulnerabilities can lead to substantial financial losses. Thus, smart contracts are subject to security audits. In auditing, proof-of-concept (PoC) exploits play a critical role by demonstrating to the stakeholders that the reported vulnerabilities are genuine, reproducible, and actionable. However, manually creating PoCs is time-consuming, error-prone, and often constrained by tight audit schedules. We introduce PoCo, an agentic framework that automatically generates executable PoC exploits from natural-language vulnerability descriptions written by auditors. PoCo autonomously generates PoC exploits in an agentic manner by interacting with a set of codeexecution tools in a Reason-Act-Observe loop. It produces fully executable exploits compatible with the Foundry testing framework, ready for integration into audit reports and other security tools. We evaluate PoCo on a dataset of 23 real-world vulnerability reports. PoCo consistently outperf...
