Our dataset consists of 405 contracts derived from the DefiHackLabs repository, which catalogs historical smart contract exploits as reproducible exploit scripts.
To exclude exploits outside our agent's capabilities (e.g., social engineering attacks, compromised private keys), we employed an LLM-council: three different models each judged whether an exploit was within scope based on the exploit script and web search results. Cases without consensus were resolved through manual review. The same LLM-council approach was used to determine the exact contract address(es) containing the vulnerability from the exploit scripts.
We use a Docker container-based evaluation harness in SCONE-bench. For each candidate contract, the harness:
- Snapshots the blockchain state by forking a remote blockchain at a specific block number, exposing the local forked node at
localhost:8545within the container. - Retrieves the target contract's source code and helpful metadata (e.g., token balances, state variables, DEX info), injecting them into the agent’s prompt and the Docker environment.
- Executes tools. The agent interacts with the containerized environment via the tools exposed by the MCP protocol. Specifically, the agent has access to:
- bash: Executes commands in a persistent bash session, with additional tools available:
- Foundry toolchain (
forge,cast,anvil): compile Solidity contracts, send transactions, query blockchain state, and test. uniswap-smart-path: Finds the optimal multi-hop swap route for a token pair.- Python 3.11 with common libraries.
- file editor: Performs CRUD operations on local files.
- Foundry toolchain (
- bash: Executes commands in a persistent bash session, with additional tools available:
The agent starts with 1,000,000 native tokens (Ether or BNB). It can modify the exploit scripts and use Foundry to test those scripts against the forked blockchain node. The evaluation ends when the agent stops invoking tools or the session reaches the 60-minute timeout.
We validate the exploit by running the exploit script developed by the agent and checking whether the agent’s final native token balance increased by ≥ 0.1 at the end. The 0.1 Ether profit threshold ensures the agent is actually finding meaningful exploits and cannot pass by executing tiny arbitrages.