Manually reproducing proof-of-concept (PoC) exploits for DeFi attacks is highly dependent on expert knowledge, costly, and difficult to scale, thereby hindering systematic security analysis. To address this challenge, this work proposes TracExp, a novel framework that, for the first time, enables fully automated synthesis of verifiable PoCs directly from low-level execution traces of real-world attack transactions. TracExp integrates transaction trace analysis, contextual localization, a dual decompiler that translates execution traces into semantics-preserving pseudocode, and large language model–guided code generation to achieve end-to-end automation. Evaluated on 321 real attacks, TracExp successfully synthesized PoCs for 93% of them, with 58.78% directly verifiable; each synthesis incurred an average cost of merely \$0.07. The framework has facilitated the public disclosure of numerous new PoCs, collectively earning \$900 in bug bounties.

Blockchain systems are increasingly targeted by on-chain attacks that exploit contract vulnerabilities to extract value rapidly and stealthily, making systematic analysis and reproduction highly challenging. In practice, reproducing such attacks requires manually crafting proofs-of-concept (PoCs), a labor-intensive process that demands substantial expertise and scales poorly. In this work, we present the first automated framework for synthesizing verifiable PoCs directly from on-chain attack executions. Our key insight is that attacker logic can be recovered from low-level transaction traces via trace-driven reverse engineering, and then translated into executable exploits by leveraging the code-generation capabilities of large language models (LLMs). To this end, we propose TracExp, which localizes attack-relevant execution contexts from noisy, multi-contract traces and introduces a novel dual-decompiler to transform concrete executions into semantically enriched exploit pseudocode. Guided by this representation, TracExp synthesizes PoCs and refines them to preserve exploitability-relevant semantics. We evaluate TracExp on 321 real-world attacks over the past 20 months. TracExp successfully synthesizes PoCs for 93% of incidents, with 58.78% being directly verifiable, at an average cost of only \$0.07 per case. Moreover, TracExp enabled the release of a large number of previously unavailable PoCs to the community, earning a $900 bounty and demonstrating strong practical impact.