This work addresses composability vulnerabilities in decentralized finance (DeFi) arising from interactions between constant-product market makers (CPMMs) and incompatible token contracts—a previously unformalized class of bugs. We introduce CPMMX, the first automated detection tool for such vulnerabilities. Methodologically, CPMMX employs a “shallow-deep” two-phase search framework: the shallow phase leverages safety invariant modeling and symbolic execution to rapidly filter suspicious contracts; the deep phase performs transaction path optimization and profitability verification to confirm exploitability. CPMMX supports large-scale scanning across Ethereum and BNB Chain. Evaluation shows CPMMX achieves 1.5–2.5× higher vulnerability detection rates than baseline tools across multiple datasets, with substantial F1-score improvement. In real-world deployment, it identified 26 previously unknown exploitable vulnerabilities, with estimated maximum arbitrage profits totaling $15,700.

Decentralized Finance (DeFi) enables many novel applications that were impossible in traditional finances. However, it also introduces new types of vulnerabilities. An example of such vulnerabilities is a composability bug between token contracts and Decentralized Exchange (DEX) that follows the Constant Product Market Maker (CPMM) model. This type of bug, which we refer to as CPMM composability bug, originates from issues in token contracts that make them incompatible with CPMMs, thereby endangering other tokens within the CPMM ecosystem. Since 2022, 23 exploits of such kind have resulted in a total loss of 2.2M USD. BlockSec, a smart contract auditing company, reported that 138 exploits of such kind occurred just in February 2023. In this paper, we propose CPMMX , a tool that automatically detects CPMM composability bugs across entire blockchains. To achieve such scalability, we first formalized CPMM composability bugs and found that these bugs can be induced by breaking two safety invariants. Based on this finding, we designed CPMMX equipped with a two-step approach, called shallow-then-deep search. In more detail, it first uses shallow search to find transactions that break the invariants. Then, it uses deep search to refine these transactions, making them profitable for the attacker. We evaluated CPMMX against five baselines on two public datasets and one synthetic dataset. In our evaluation, CPMMX detected 2.5x to 1.5x more vulnerabilities compared to baseline methods. It also analyzed contracts significantly faster, achieving higher F1 scores than the baselines. Additionally, we applied CPMMX to all contracts on the latest blocks of the Ethereum and Binance networks and discovered 26 new exploits that can result in 15.7K USD profit in total.