Blockchain systems are increasingly targeted by on-chain attacks that exploit contract vulnerabilities to extract value rapidly and stealthily, making systematic analysis and reproduction highly challenging. In practice, reproducing such attacks requires manually crafting proofs-of-concept (PoCs), a labor-intensive process that demands substantial expertise and scales poorly. In this work, we present the first automated framework for synthesizing verifiable PoCs directly from on-chain attack executions. Our key insight is that attacker logic can be recovered from low-level transaction traces via trace-driven reverse engineering, and then translated into executable exploits by leveraging the code-generation capabilities of large language models (LLMs). To this end, we propose TracExp, which localizes attack-relevant execution contexts from noisy, multi-contract traces and introduces a novel dual-decompiler to transform concrete executions into semantically enriched exploit pseudocode. Guided by this representation, TracExp synthesizes PoCs and refines them to preserve exploitability-relevant semantics. We evaluate TracExp on 321 real-world attacks over the past 20 months. TracExp successfully synthesizes PoCs for 93% of incidents, with 58.78% being directly verifiable, at an average cost of only \$0.07 per case. Moreover, TracExp enabled the release of a large number of previously unavailable PoCs to the community, earning a $900 bounty and demonstrating strong practical impact.

翻译：区块链系统正日益遭受链上攻击的威胁，攻击者通过利用合约漏洞快速且隐蔽地窃取价值，这使得系统性分析与复现变得极具挑战性。在实践中，复现此类攻击通常需要手动构建概念验证（PoC），这是一个劳动密集型过程，不仅需要大量专业知识，且难以规模化。本工作提出了首个能够直接从链上攻击执行记录中合成可验证PoC的自动化框架。我们的核心洞见在于：攻击者逻辑可通过基于执行轨迹的逆向工程从底层交易轨迹中恢复，并借助大语言模型（LLM）的代码生成能力转化为可执行的漏洞利用程序。为此，我们提出了TracExp，该系统能够从包含多合约交互的噪声轨迹中定位与攻击相关的执行上下文，并引入一种新颖的双重反编译器，将具体执行过程转化为语义增强的漏洞利用伪代码。在此表示形式的指导下，TracExp合成PoC并对其进行精炼，以保留与漏洞可利用性相关的语义。我们在过去20个月内发生的321次真实攻击案例上评估了TracExp。该系统成功为93%的攻击事件合成了PoC，其中58.78%可直接验证，平均每个案例的成本仅为0.07美元。此外，TracExp向社区发布了大量此前未公开的PoC，获得了900美元赏金，展现出强大的实际影响力。