To address the low efficiency in identifying profitable vulnerabilities and the absence of profit-oriented strategies in DeFi smart contracts, this paper proposes VERITE—the first profit-centric fuzzing framework for DeFi. Methodologically, VERITE introduces (1) a DeFi-action-driven mutation mechanism to enhance vulnerability triggering; (2) an abnormal fund-flow detection criterion for joint identification of vulnerabilities and profit potential; and (3) a gradient-descent-based profit optimization strategy to automatically maximize arbitrage gains. The framework integrates symbolic transaction-path exploration with a custom-built full-stack fuzzing engine. Evaluated on 61 real-world exploited projects, VERITE autonomously extracted over $18 million in exploitable profits—substantially outperforming ITYFUZZ in both detection rate and realized profit. Additionally, VERITE discovered six zero-day vulnerabilities, earning bounties exceeding $2,500.

Billions of dollars are transacted through smart contracts, making vulnerabilities a major financial risk. One focus in the security arms race is on profitable vulnerabilities that attackers can exploit. Fuzzing is a key method for identifying these vulnerabilities. However, current solutions face two main limitations: a lack of profit-centric techniques for expediting detection, and insufficient automation in maximizing the profitability of discovered vulnerabilities, leaving the analysis to human experts. To address these gaps, we have developed VERITE, a profit-centric smart contract fuzzing framework that not only effectively detects those profitable vulnerabilities but also maximizes the exploited profits. VERITE has three key features: 1) DeFi action-based mutators for boosting the exploration of transactions with different fund flows; 2) potentially profitable candidates identification criteria, which checks whether the input has caused abnormal fund flow properties during testing; 3) a gradient descent-based profit maximization strategy for these identified candidates. VERITE is fully developed from scratch and evaluated on a dataset consisting of 61 exploited real-world DeFi projects with an average of over 1.1 million dollars loss. The results show that VERITE can automatically extract more than 18 million dollars in total and is significantly better than state-of-the-art fuzzer ITYFUZZ in both detection (29/9) and exploitation (58 times more profits gained on average). Remarkbly, in 12 targets, it gains more profits than real-world attacking exploits (1.01 to 11.45 times more). VERITE is also applied by auditors in contract auditing, where 6 (5 high severity) zero-day vulnerabilities are found with over $2,500 bounty rewards.