Abstract
Smart contracts operate in a highly adversarial environment, wherevulnerabilities can lead to substantial financial losses. Thus, smart contractsare subject to security audits. In auditing, proof-of-concept (PoC) exploitsplay a critical role by demonstrating to the stakeholders that the reportedvulnerabilities are genuine, reproducible, and actionable. However, manuallycreating PoCs is time-consuming, error-prone, and often constrained by tightaudit schedules. We introduce POCO, an agentic framework that automaticallygenerates executable PoC exploits from natural-language vulnerabilitydescriptions written by auditors. POCO autonomously generates PoC exploits inan agentic manner by interacting with a set of code-execution tools in aReason-Act-Observe loop. It produces fully executable exploits compatible withthe Foundry testing framework, ready for integration into audit reports andother security tools. We evaluate POCO on a dataset of 23 real-worldvulnerability reports. POCO consistently outperforms the prompting and workflowbaselines, generating well-formed and logically correct PoCs. Our resultsdemonstrate that agentic frameworks can significantly reduce the effortrequired for high-quality PoCs in smart contract audits. Our contributionprovides readily actionable knowledge for the smart contract securitycommunity.