![[2602.01317] TxRay: Agentic Postmortem of Live Blockchain Attacks](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.01317] TxRay: Agentic Postmortem of Live Blockchain Attacks
Summary
TxRay is a novel system that automates the postmortem analysis of live blockchain attacks, significantly improving the speed and accuracy of identifying exploit root causes and generating proof of concepts.
Why It Matters
As decentralized finance (DeFi) continues to grow, the frequency and impact of blockchain exploits have escalated. TxRay addresses the critical need for efficient postmortem analysis, enabling faster recovery and enhanced security measures, which is vital for the integrity of financial systems built on blockchain technology.
Key Takeaways
- TxRay reconstructs blockchain attack lifecycles from limited evidence.
- The system achieves a 92.11% end-to-end reproduction rate for exploit incidents.
- TxRay's oracle-validated proofs of concept enhance attack imitation and coverage.
- The tool significantly reduces postmortem analysis time to under an hour.
- TxRay addresses the growing need for automated security solutions in the DeFi space.
Computer Science > Cryptography and Security arXiv:2602.01317 (cs) [Submitted on 1 Feb 2026 (v1), last revised 23 Feb 2026 (this version, v5)] Title:TxRay: Agentic Postmortem of Live Blockchain Attacks Authors:Ziyue Wang, Jiangshan Yu, Kaihua Qin, Dawn Song, Arthur Gervais, Liyi Zhou View a PDF of the paper titled TxRay: Agentic Postmortem of Live Blockchain Attacks, by Ziyue Wang and 5 other authors View PDF HTML (experimental) Abstract:Decentralized Finance (DeFi) has turned blockchains into financial infrastructure, allowing anyone to trade, lend, and build protocols without intermediaries, but this openness exposes pools of value controlled by code. Within five years, the DeFi ecosystem has lost over 15.75B USD to reported exploits. Many exploits arise from permissionless opportunities that any participant can trigger using only public state and standard interfaces, which we call Anyone-Can-Take (ACT) opportunities. Despite on-chain transparency, postmortem analysis remains slow and manual: investigations start from limited evidence, sometimes only a single transaction hash, and must reconstruct the exploit lifecycle by recovering related transactions, contract code, and state dependencies. We present TxRay, a Large Language Model (LLM) agentic postmortem system that uses tool calls to reconstruct live ACT attacks from limited evidence. Starting from one or more seed transactions, TxRay recovers the exploit lifecycle, derives an evidence-backed root cause, and generate...
