Smart contracts govern billions of dollars in decentralized finance (DeFi), yet automated vulnerability detection remains challenging because many vulnerabilities are tightly coupled with project-specific business logic. We observe that recurring vulnerabilities across diverse DeFi business models often share the same underlying economic mechanisms, which we term DeFi semantics, and that capturing these shared abstractions can enable more systematic auditing. Building on this insight, we propose Knowdit, a knowledge-driven, agentic workflow for smart contract vulnerability detection. Knowdit first constructs an auditing knowledge graph from historical human audit reports, linking fine-grained DeFi semantics with recurring vulnerability patterns. Given a new project, a multi-agent pipeline leverages this knowledge through an iterative loop of specification generation, Proof-of-Concept (PoC) synthesis, PoC execution, and finding reflection, driven by a shared repository index. We evaluate Knowdit on 11 recent Code4rena projects with 84 ground-truth vulnerabilities. Knowdit detects all 21 high-severity and 90% of medium-severity vulnerabilities without false positives, fully covering eight projects, significantly outperforming all baselines. Applied to seven real-world projects, Knowdit further discovers 9 high- and 36 medium-severity previously unknown vulnerabilities, securing millions in liquidity and proving its outstanding performance.
Knowdit: Agentic Smart Contract Vulnerability Detection with Auditing Knowledge Summarization
Smart contracts govern billions of dollars in decentralized finance (DeFi), yet automated vulnerability detection remains challenging because many vulnerabilities are tightly coupled with project-specific business logic.
- Preview

- Year
- 2026
- Hosting
- Excerpt onlyCC-BY-NC-4.0
Cite
Notes
Only stored in your browser.
Attribution
- Abstract & full text
- arxiv.org/abs/2603.26270CC-BY-NC-4.0
- TL;DR
- Semantic Scholar