An LLM-assisted study that decomposes 688 real-world DeFi exploit PoCs from DeFiHackLabs into an ordered list of function calls, labels each call with the role it plays in the attack, and groups the exploits by the invariant that their INDUCE step violates — and finds they fall into 22 distinct attack mechanisms.
We replay each PoC to obtain its execution trace, decompose it into an ordered list of function calls, and label each call with the role it plays in the attack. The INDUCE step — the one action that breaks the target contract's invariant — determines the mechanism. Two independent LLM instances and a human expert label a stratified sample to establish reliability.
The INDUCE steps reduce to 22 distinct attack mechanisms under two classes — economic (value-accounting) mechanisms account for 434 incidents (63.1%) and classic code bugs for 254 (36.9%), with no catch-all class. Three boundary mechanisms (50 incidents) could be counted as classic instead, lowering the economic share to 55.8%. The set is bounded: the cumulative count reaches 22 by 2023 and stays flat through 2026, and all 45 in-scope incidents collected after the cutoff fit the existing mechanisms.
| ID | Mechanism & violated invariant | Family | Inc. | Var. | Top-3% | Detector |
|---|
Detector = whether the combined Slither + Mythril rule set has a rule for the mechanism's violated invariant: COVERED directly targets the invariant, PARTIAL flags a related code symptom but not the invariant itself, NONE no relevant rule. Across all 688 incidents: COVERED 6.1%, PARTIAL 38.7%, NONE 55.2%.
Within a mechanism, exploits share the same flow and invariant but differ only in the INDUCE call that triggers the violation. There are 187 distinct variants across the 22 mechanisms (mean 8.5 each), yet the top three cover about 70% of incidents on average — the invariant stays fixed even as the ways to violate it grow.
Each incident carries a mechanism (how the attack works) and a conventional vulnerability type (what is wrong in the code). 19 of 22 mechanisms concentrate at least 75% of their incidents in one type, yet the two largest types (logic flaw and insufficient validation, 70.5% of incidents) each span six to seven mechanisms — so the type label alone does not determine the mechanism. The two lenses are complementary.
The combined Slither and Mythril rule set directly covers only 6.1% of incidents, almost entirely reentrancy. The four economic families that account for 63.1% of the dataset receive zero direct coverage; even counting PARTIAL as coverage, 85.9% of economic incidents have no relevant rule. Per-mechanism coverage is shown in the Detector column above.
The action-level dataset and the mechanism taxonomy are released: the 688 incidents with their mechanism, variant, vulnerability type and chain; the 22 mechanisms with their invariants; and the role-tagged action-IR behind every incident.
Labeling reliability: mechanism Fleiss' κ = 0.73 (two LLM instances + one human expert, 120-incident sample); detector-coverage κ = 0.78. Data under CC-BY-4.0, code under MIT.