Smart contract vulnerabilities in Decentralized Finance caused over billions of dollars losses every year, yet the security community faces a critical bottleneck: identifying a vulnerability is not the same as proving it is exploitable. Manual PoC construction is prohibitively labor-intensive, leaving most disclosed vulnerabilities unverified and protocols exposed long before mitigation is applied. In this paper, we propose \sys, a knowledge-driven agentic system for end-to-end contract vulnerability detection and exploit synthesis. Our core insight is that exploit synthesis is not a code generation task but a \emph{structured reasoning problem} that requires grounded knowledge of protocol semantics, failure root cause, and exploit primitives. \sys organizes this knowledge into a \emph{Hierarchical Knowledge Graph} (HKG) that serves as structured memory for LLM-guided multi-hop reasoning. To validate exploit feasibility beyond code synthesis, \sys employs a two-stage validation framework that checks exploit-path reachability via SMT solving and profit realizability via asset-level state simulation, ensuring generated PoCs satisfy both logical and economic viability constraints. Evaluated on 88 real-world DeFi attacks and 72 audited projects (2,573 contracts), \sys achieves 98\% recall and 0.9 F1-score in detection, and a 96.6\% exploit success rate (ESR), reproducing 85 historical exploits and recovering over \$116.2M revenue. \sys outperforms SOTA fuzzers (\textsc{Verite}, \textsc{ItyFuzz}) by up to $5\times$ in ESR and $300\times$ in recoverable value, and the LLM-based exploit generator \textsc{A1} by $2\times$ and $8.5\times$ respectively. In bug bounty evaluation, \sys identified 16 confirmed 0-day vulnerabilities, helping secure over \$70.6M and earning \$2,900 in bounties.

翻译：去中心化金融中的智能合约漏洞每年造成数十亿美元损失，然而安全社区面临关键瓶颈：发现漏洞并不等同于证明其可被利用。手动构建概念验证（PoC）因劳动强度过高而难以实现，导致大多数已披露漏洞未经验证，协议在应用修复前长期处于暴露风险中。本文提出\sys，一种知识驱动的智能体系统，用于端到端的合约漏洞检测与利用合成。核心洞见在于：利用合成并非代码生成任务，而是需要协议语义、故障根因和利用原语知识支撑的\emph{结构化推理问题}。\sys将此类知识组织为\emph{层次化知识图谱}（HKG），作为大语言模型引导的多跳推理的结构化记忆。为验证代码合成之外的利用可行性，\sys采用两阶段验证框架：通过SMT求解检查利用路径可达性，并通过资产级状态模拟验证收益可实现性，确保生成的PoC同时满足逻辑与经济可行性约束。在88个真实DeFi攻击案例与72个审计项目（2573个合约）上的评估表明，\sys在检测环节实现98%召回率与0.9 F1分数，利用成功率（ESR）达96.6%，成功复现85个历史利用事件并恢复超1.162亿美元收益。对比最先进的模糊测试工具（\textsc{Verite}、\textsc{ItyFuzz}），\sys在ESR上提升高达5倍、可恢复价值提升300倍；对比基于LLM的利用生成器\textsc{A1}则分别提升2倍与8.5倍。在漏洞赏金评估中，\sys发现16个确认的零日漏洞，帮助保障超7060万美元资产安全并获得2900美元赏金。