Papers
Topics
Authors
Recent
Search
2000 character limit reached

Knowdit: DeFi Vulnerability Detection

Updated 3 July 2026
  • Knowdit is a knowledge-driven framework that integrates human audit insights into a structured knowledge graph to identify vulnerabilities in DeFi smart contracts.
  • It employs a multi-agent iterative process that generates, refines, and executes test harnesses based on semantic mappings between DeFi logic and attack patterns.
  • Empirical evaluations show 100% high-severity recall and 96% precision, outperforming existing static and template-based auditing tools.

Knowdit is a knowledge-driven, agentic framework for vulnerability detection in smart contracts, with a particular focus on decentralized finance (DeFi) applications. The system leverages an auditing knowledge graph distilled from historical human audit reports, capturing reusable DeFi-specific semantics and linking them to recurring vulnerability patterns. A multi-agent architecture coordinates the application of this knowledge through an iterative process, yielding significantly improved precision and recall over previous automated approaches for finding vulnerabilities in complex, business logic–intensive DeFi protocols (Kong et al., 27 Mar 2026).

1. Motivation and Challenges in Automated DeFi Auditing

Automated vulnerability detection in DeFi smart contracts faces two principal obstacles:

  • Project-specific business logic: Every DeFi protocol implements highly bespoke on-chain economic mechanisms—such as lending, staking, or cross-chain bridging—that elude detection by generic property oracles and random fuzzers. Vulnerabilities often depend on protocol-specific invariants neither captured nor exercised by static or template-based tools.
  • Recurring DeFi semantics: While the surface code of DeFi projects varies, many vulnerabilities are underpinned by common economic mechanisms, termed "DeFi semantics." Examples include proportional-shares accounting leading to "first-depositor" attacks across divergent projects.

Traditional tools either operate solely at the code-level pattern granularity or utilize fixed property templates, both approaches insufficiently generalizing to novel, project-specific attack surfaces. The key insight underpinning Knowdit is that aggregating human auditors’ expertise about DeFi semantics and attack patterns into a retrievable, structured form enables more systematic and comprehensive automated detection.

2. Auditing Knowledge Graph: Structure and Construction

Knowdit builds a bipartite knowledge graph G=(V,E)G = (V, E), where V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln} and EE encodes semantic and causal associations.

  • VdefiV_{defi}: Nodes for business types, Solidity projects, and distinct DeFi semantics.
  • VvulnV_{vuln}: Nodes for vulnerability patterns, audit findings, and attack types.

Seven principal edge types (all many-to-many except "has") model relationships:

  • belongsTo (SolidityProject → BusinessType)
  • contains (SolidityProject → DeFiSemantic)
  • underlies (DeFiSemantic → BusinessType)
  • has (SolidityProject → AuditingFinding)
  • contributesTo (VulnerabilityPattern → AuditingFinding)
  • poses (VulnerabilityPattern → AttackType)
  • involves (AuditingFinding → AttackType)
  • mayIntroduce (DeFiSemantic → VulnerabilityPattern)

Formally, for sets S={s1,...,sm}⊆VdefiS = \{s_1,...,s_m\} \subseteq V_{defi} and P={p1,...,pn}⊆VvulnP = \{p_1,...,p_n\} \subseteq V_{vuln}, the relation EmayIntroduce⊂S×PE_{mayIntroduce} \subset S \times P encodes historic observations of which DeFi semantics have been implicated in which kinds of vulnerabilities.

Extraction process (LLM-based, incremental):

  • Stage I: DeFi Semantics – Classifies business type, abstracts economic logic functions, merges and deduplicates candidate semantics, and inserts associated edges.
  • Stage II: Vulnerability Patterns – Generalizes root-cause patterns from 3,904 audit findings, classified by attack type, and merges with the existing vulnerability node set.
  • Stage III: Causal Linking – Employs LLM prompts to establish mayIntroduce relationships for each project–report pair by reasoning about causal links between observed DeFi semantics and vulnerabilities.

3. Multi-Agent Iterative Audit Process

The core of Knowdit’s operation is a multi-agent workflow interacting via a shared "WorkingMemory" structure comprising fields for coverage maps, logs, and feedback. The process includes:

  • Knowledge Mapper: Maps a new project's code to DeFi semantics and assembles a queue of semantic–vulnerability pattern pairs for auditing.
  • Specification Generator: For each (s,p)(s, p) pair, emits a concrete specification Spec=(I,Pre,Post)\text{Spec} = (\mathcal{I}, \text{Pre}, \text{Post}), defining initial deployment/funding, pre-vulnerability invariants, and expected post-vulnerability violations.
  • Harness Synthesizer: Instantiates a Foundry-style fuzz harness V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}0, parameterized to exercise the identified semantics and oracle checks.
  • Fuzz Executor: Runs the harness within a bounded resource budget, records line coverage and any invariant violations.
  • Finding Reflector: Triages violations to distinguish expected behavior, valid vulnerabilities, or instances of unsound specification/harness logic. Updates to the knowledge graph and working memory are performed on-the-fly, enabling incremental improvement and coverage tracking.

A simplified pseudocode fragment outlining the audit loop: V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}8

4. Integration and Formal Use of DeFi Semantics

Auditing leverages the formal structure of the knowledge graph by selecting candidate vulnerability patterns V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}1, where V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}2 aggregates all patterns V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}3 for which V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}4 is a mayIntroduce edge in V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}5. Each V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}6 pair is the subject of targeted specification and fuzzing. This approach enables detection of vulnerabilities that hinge on business-logic–dependent invariants and operationalizes human auditor intuition in specification synthesis and oracle construction.

5. Empirical Evaluation and Results

Dataset:

  • 12 Code4rena projects (post-September 2024), totaling 100 Solidity contracts and 75 ground-truth vulnerabilities (14 high-severity, 61 medium-severity; QA issues excluded).

Knowledge base:

  • 270 historical projects yielded 475 unique DeFi semantics, 579 vulnerability patterns, and 2,096 semantic-to-pattern links.

Baselines:

  • GPTScan, LLMAudit (static), PROMFUZZ, PropertyGPT (LLM-invariant), all at default settings.

Metrics:

  • Recall and precision defined by

V=Vdefi∪VvulnV = V_{defi} \cup V_{vuln}7

Summary of results:

Method High Recall Medium Recall Precision
KNOWDIT 100% 77% 96%
Best Baseline ≤29% ≤30% ≤84%

KNOWDIT detected 14/14 high-severity and 47/61 medium-severity vulnerabilities with only 2 false positives. It substantially exceeded all baselines in recall (particularly for high-severity issues) and precision (Kong et al., 27 Mar 2026).

6. Illustrative Case Studies

  • First-Depositor Pattern (InsureDAO, Salty.IO): The knowledge graph connected the DeFi semantic "proportional-share accounting" to the "first-depositor" attack pattern. Upon detecting this semantic in both projects, Knowdit automatically generated and executed fuzz harnesses that exploited the bug, without human intervention.
  • Bridge-Retry Logic (Anon Project X): Knowdit recognized cross-chain bridge semantics and surfaced a replay attack vulnerability ("missing failed-batch tracking"). The system generated specifications and handlers to loop bridge calls with controlled arguments, discovering unauthorized transfers confirmed by the finding reflector. Developers subsequently patched the flaw.

These cases exemplify Knowdit’s ability to generalize knowledge-driven vulnerability detection across different protocols, both by reusing previously observed semantic–attack mappings and by autonomously generating precise specifications and test oracles.

7. Limitations and Prospects

Current limitations include:

  • Specification hallucination: In approximately 10% of missed medium-severity bugs, the LLM-generated specification or harness failed to compile or cover the root cause.
  • Knowledge gaps: Project-specific invariants never captured in historical data may be absent from the knowledge graph, leading to potential blind spots.

Potential future directions:

  • Continuous integration of newly published audit knowledge into the graph.
  • Deployment of procedural audit strategies (e.g., simulating specific financial edge cases).
  • Local code retrieval agents to optimize for large codebases and token usage.
  • Selective human-in-the-loop spot checks for ambiguous verdicts returned by the finding reflector.

Broader impact expectations include advancing the fidelity and recall of automated auditing to near-human levels, reducing the risk and economic loss in DeFi ecosystems, and providing a model for other knowledge graph–driven, LLM-integrated security paradigms (Kong et al., 27 Mar 2026).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Knowdit.