How DeFi Exploits Work:
An Action-Level Study of Real-World Attacks

An LLM-assisted study that decomposes 688 real-world DeFi exploit PoCs from DeFiHackLabs into an ordered list of function calls, labels each call with the role it plays in the attack, and groups the exploits by the invariant that their INDUCE step violates — and finds they fall into 22 distinct attack mechanisms.

ICSE 2027 · Submission #2311 Worked examples →
688DeFi exploit PoCs
22attack mechanisms
187distinct variants
63.1%economic mechanisms
6.1%covered by rule-based tools
00THE PIPELINE

From PoC to mechanism

We replay each PoC to obtain its execution trace, decompose it into an ordered list of function calls, and label each call with the role it plays in the attack. The INDUCE step — the one action that breaks the target contract's invariant — determines the mechanism. Two independent LLM instances and a human expert label a stratified sample to establish reliability.

Pipeline: dataset preparation, action-IR construction, the 22-mechanism taxonomy, and reliability assessment.
Dataset preparation (724→688 PoCs) · action-IR construction · the 22-mechanism taxonomy · reliability assessment
RQ1MECHANISM IDENTIFICATION

Twenty-two attack mechanisms, stable since 2023

The INDUCE steps reduce to 22 distinct attack mechanisms under two classes — economic (value-accounting) mechanisms account for 434 incidents (63.1%) and classic code bugs for 254 (36.9%), with no catch-all class. Three boundary mechanisms (50 incidents) could be counted as classic instead, lowering the economic share to 55.8%. The set is bounded: the cumulative count reaches 22 by 2023 and stays flat through 2026, and all 45 in-scope incidents collected after the cutoff fit the existing mechanisms.

All (22) Economic (12 · 63.1%) Classic (10 · 36.9%)
IDMechanism & violated invariant FamilyInc. Var.Top-3% Detector

Detector = whether the combined Slither + Mythril rule set has a rule for the mechanism's violated invariant: COVERED directly targets the invariant, PARTIAL flags a related code symptom but not the invariant itself, NONE no relevant rule. Across all 688 incidents: COVERED 6.1%, PARTIAL 38.7%, NONE 55.2%.

Cumulative distinct mechanisms over time reaching 22 by 2023.
Cumulative distinct mechanisms over time — 22 by 2023, no new mechanism since
RQ2WITHIN-MECHANISM VARIATION

Same flow, one call differs

Within a mechanism, exploits share the same flow and invariant but differ only in the INDUCE call that triggers the violation. There are 187 distinct variants across the 22 mechanisms (mean 8.5 each), yet the top three cover about 70% of incidents on average — the invariant stays fixed even as the ways to violate it grow.

g01 within-mechanism variation: one shared flow, only the corrupting call differs.
g01 (reserve desync), 97 incidents: one shared flow; only the INDUCE call differs — donate+skim (34), self-burn (24), reflection deliver (8)
RQ3MECHANISM vs. VULNERABILITY TYPE

Two complementary lenses

Each incident carries a mechanism (how the attack works) and a conventional vulnerability type (what is wrong in the code). 19 of 22 mechanisms concentrate at least 75% of their incidents in one type, yet the two largest types (logic flaw and insufficient validation, 70.5% of incidents) each span six to seven mechanisms — so the type label alone does not determine the mechanism. The two lenses are complementary.

Contingency of 22 mechanisms against 6 vulnerability types.
Mechanism × vulnerability type — each mechanism concentrates in one type; the broad types spread across many mechanisms
RQ4DETECTION COVERAGE

A detection gap on economic mechanisms

The combined Slither and Mythril rule set directly covers only 6.1% of incidents, almost entirely reentrancy. The four economic families that account for 63.1% of the dataset receive zero direct coverage; even counting PARTIAL as coverage, 85.9% of economic incidents have no relevant rule. Per-mechanism coverage is shown in the Detector column above.

ARTIFACT

Dataset & taxonomy

The action-level dataset and the mechanism taxonomy are released: the 688 incidents with their mechanism, variant, vulnerability type and chain; the 22 mechanisms with their invariants; and the role-tagged action-IR behind every incident.

Labeling reliability: mechanism Fleiss' κ = 0.73 (two LLM instances + one human expert, 120-incident sample); detector-coverage κ = 0.78. Data under CC-BY-4.0, code under MIT.