This work exposes the “insecurity through obscurity” paradox in smart contracts: source code opacity—via closed-source deployment or bytecode obfuscation—not only fails to enhance security but actively conceals critical asset-management vulnerabilities. To address this, we propose SKANF, the first automated vulnerability discovery and exploitation framework tailored for obfuscated Ethereum Virtual Machine (EVM) contracts. SKANF integrates control-flow deobfuscation, symbolic execution, and historical-transaction-driven hybrid execution. Evaluated on a real-world dataset of MEV bot contracts, SKANF identifies 1,028 vulnerabilities, generates 373 exploit-ready proofs-of-concept (POCs), and estimates potential losses exceeding $9 million. Moreover, it precisely retroactively localizes 40 previously executed attacks, accounting for $900,000 in actual losses. This study formally models the obscurity-security paradox for the first time and establishes a scalable, verifiable methodology for risk assessment of opaque smart contracts.

Most blockchains cannot hide the binary code of programs (i.e., smart contracts) running on them. To conceal proprietary business logic and to potentially deter attacks, many smart contracts are closed-source and employ layers of obfuscation. However, we demonstrate that such obfuscation can obscure critical vulnerabilities rather than enhance security, a phenomenon we term insecurity through obscurity. To systematically analyze these risks on a large scale, we present SKANF, a novel EVM bytecode analysis tool tailored for closed-source and obfuscated contracts. SKANF combines control-flow deobfuscation, symbolic execution, and concolic execution based on historical transactions to identify and exploit asset management vulnerabilities. Our evaluation on real-world Maximal Extractable Value (MEV) bots reveals that SKANF detects vulnerabilities in 1,028 contracts and successfully generates exploits for 373 of them, with potential losses exceeding $9.0M. Additionally, we uncover 40 real-world MEV bot attacks that collectively resulted in $900K in losses.