This study addresses the bottleneck in verifying exploitability of disclosed DeFi smart contract vulnerabilities, which stems from the high cost of manually crafting proof-of-concept (PoC) exploits. To overcome this challenge, the work introduces a novel approach that, for the first time, integrates hierarchical knowledge graphs (HKGs) with large language models (LLMs), formulating exploit synthesis as a structured multi-hop reasoning problem. By unifying protocol semantics, root-cause vulnerability patterns, and exploit primitives, the authors propose a two-stage verification framework that combines SMT solving, asset-level state simulation, and hybrid static-dynamic analysis to ensure both logical reachability and economic feasibility. Evaluated on 88 real-world attacks and 72 audit cases, the method achieves a 98% recall rate, an F1 score of 0.9, and a 96.6% exploit success rate, successfully reproducing 85 historical attacks (involving $116 million), uncovering 16 zero-day vulnerabilities, aiding in the protection of $70.6 million in assets, and earning $2,900 in bug bounties.

Smart contract vulnerabilities in Decentralized Finance caused over billions of dollars losses every year, yet the security community faces a critical bottleneck: identifying a vulnerability is not the same as proving it is exploitable. Manual PoC construction is prohibitively labor-intensive, leaving most disclosed vulnerabilities unverified and protocols exposed long before mitigation is applied. In this paper, we propose \sys, a knowledge-driven agentic system for end-to-end contract vulnerability detection and exploit synthesis. Our core insight is that exploit synthesis is not a code generation task but a \emph{structured reasoning problem} that requires grounded knowledge of protocol semantics, failure root cause, and exploit primitives. \sys organizes this knowledge into a \emph{Hierarchical Knowledge Graph} (HKG) that serves as structured memory for LLM-guided multi-hop reasoning. To validate exploit feasibility beyond code synthesis, \sys employs a two-stage validation framework that checks exploit-path reachability via SMT solving and profit realizability via asset-level state simulation, ensuring generated PoCs satisfy both logical and economic viability constraints. Evaluated on 88 real-world DeFi attacks and 72 audited projects (2,573 contracts), \sys achieves 98\% recall and 0.9 F1-score in detection, and a 96.6\% exploit success rate (ESR), reproducing 85 historical exploits and recovering over \$116.2M revenue. \sys outperforms SOTA fuzzers (\textsc{Verite}, \textsc{ItyFuzz}) by up to $5\times$ in ESR and $300\times$ in recoverable value, and the LLM-based exploit generator \textsc{A1} by $2\times$ and $8.5\times$ respectively. In bug bounty evaluation, \sys identified 16 confirmed 0-day vulnerabilities, helping secure over \$70.6M and earning \$2,900 in bounties.