Decentralized Finance (DeFi) has turned blockchains into financial infrastructure, allowing anyone to trade, lend, and build protocols without intermediaries, but this openness exposes pools of value controlled by code. Within five years, the DeFi ecosystem has lost over 15.75B USD to reported exploits. Many exploits arise from permissionless opportunities that any participant can trigger using only public state and standard interfaces, which we call Anyone-Can-Take (ACT) opportunities. Despite on-chain transparency, postmortem analysis remains slow and manual: investigations start from limited evidence, sometimes only a single transaction hash, and must reconstruct the exploit lifecycle by recovering related transactions, contract code, and state dependencies. We present TxRay, a Large Language Model (LLM) agentic postmortem system that uses tool calls to reconstruct live ACT attacks from limited evidence. Starting from one or more seed transactions, TxRay recovers the exploit lifecycle, derives an evidence-backed root cause, and generates a runnable, self-contained Proof of Concept (PoC) that deterministically reproduces the incident. TxRay self-checks postmortems by encoding incident-specific semantic oracles as executable assertions. To evaluate PoC correctness and quality, we develop PoCEvaluator, an independent agentic execution-and-review evaluator. On 114 incidents from DeFiHackLabs, TxRay produces an expert-aligned root cause and an executable PoC for 105 incidents, achieving 92.11% end-to-end reproduction. Under PoCEvaluator, 98.1% of TxRay PoCs avoid hard-coding attacker addresses, a +24.8pp lift over DeFiHackLabs. In a live deployment, TxRay delivers validated root causes in 40 minutes and PoCs in 59 minutes at median latency. TxRay's oracle-validated PoCs enable attack imitation, improving coverage by 15.6% and 65.5% over STING and APE.

翻译：去中心化金融（DeFi）已将区块链转变为金融基础设施，允许任何人在无需中介的情况下进行交易、借贷和构建协议，但这种开放性也暴露了由代码控制的价值池。在过去五年中，DeFi生态系统因已报告的漏洞利用损失超过157.5亿美元。许多漏洞利用源于无需许可的机会，任何参与者仅需使用公开状态和标准接口即可触发，我们称之为"任何人皆可获取"（ACT）机会。尽管链上数据透明，事后分析仍然缓慢且依赖人工：调查通常始于有限的证据（有时仅有一个交易哈希），必须通过恢复相关交易、合约代码和状态依赖来重构漏洞利用的生命周期。本文提出TxRay，一个基于大型语言模型（LLM）的智能事后分析系统，它通过工具调用来从有限证据中重构实时ACT攻击。从一个或多个种子交易出发，TxRay恢复漏洞利用的生命周期，推导出有证据支持的根源原因，并生成一个可独立运行的概念验证（PoC），能够确定性地复现事件。TxRay通过将事件特定的语义预言机编码为可执行断言来自我检查事后分析。为了评估PoC的正确性和质量，我们开发了PoCEvaluator——一个独立的智能执行与评审评估器。在DeFiHackLabs的114个事件上，TxRay为105个事件生成了与专家判断一致的根源原因和可执行PoC，实现了92.11%的端到端复现率。在PoCEvaluator评估下，98.1%的TxRay PoC避免了硬编码攻击者地址，较DeFiHackLabs提升了24.8个百分点。在实时部署中，TxRay的中位延迟为：在40分钟内提供已验证的根源原因，在59分钟内生成PoC。TxRay通过预言机验证的PoC支持攻击模拟，其覆盖范围较STING和APE分别提升了15.6%和65.5%。