Ethereum smart contracts suffer from unverified code, complex proxy architectures, and manual analysis of execution traces, hindering attack provenance and vulnerability attribution in DeFi/NFT contexts. To address this, we propose the first security analysis framework jointly leveraging execution traces and decompiled contract code. Our method introduces an algorithm for identifying anomalous execution paths, develops an LLM-enhanced decompiler, and establishes the first trace–code alignment benchmark. By fusing multi-source information, it enables automated attack-path tracing, scenario reconstruction, and interpretable diagnostics. Evaluated on 27 labeled cases, our framework achieves 85.19% accuracy in attacker/victim identification and 70.37% factual accuracy in diagnostic reports—surpassing the best baseline by 25.93%. On 148 real-world incidents, expert validation confirms 66.22% accuracy.

Ethereum smart contracts hold tens of billions of USD in DeFi and NFTs, yet comprehensive security analysis remains difficult due to unverified code, proxy-based architectures, and the reliance on manual inspection of complex execution traces. Existing approaches fall into two main categories: anomaly transaction detection, which flags suspicious transactions but offers limited insight into specific attack strategies hidden in execution traces inside transactions, and code vulnerability detection, which cannot analyze unverified contracts and struggles to show how identified flaws are exploited in real incidents. As a result, analysts must still manually align transaction traces with contract code to reconstruct attack scenarios and conduct forensics. To address this gap, TraceLLM is proposed as a framework that leverages LLMs to integrate execution trace-level detection with decompiled contract code. We introduce a new anomaly execution path identification algorithm and an LLM-refined decompile tool to identify vulnerable functions and provide explicit attack paths to LLM. TraceLLM establishes the first benchmark for joint trace and contract code-driven security analysis. For comparison, proxy baselines are created by jointly transmitting the results of three representative code analysis along with raw traces to LLM. TraceLLM identifies attacker and victim addresses with 85.19% precision and produces automated reports with 70.37% factual precision across 27 cases with ground truth expert reports, achieving 25.93% higher accuracy than the best baseline. Moreover, across 148 real-world Ethereum incidents, TraceLLM automatically generates reports with 66.22% expert-verified accuracy, demonstrating strong generalizability.