Understanding Inconsistent State Update Vulnerabilities in Smart Contracts

Smart contracts enable contract terms to be automatically executed and verified on the blockchain, and recent years have witnessed numerous applications of them in areas such as financial institutions and supply chains. The execution logic of a smart contract is closely related to the contract state, and thus the correct and safe execution of the contract depends heavily on the precise control and update of the contract state. However, the contract state update process can have issues. In particular, inconsistent state update issues can arise for reasons such as unsynchronized modifications. Inconsistent state update bugs have been exploited by attackers many times, but existing detection tools still have difficulty in effectively identifying them. This paper conducts the first large-scale empirical study about inconsistent state update vulnerabilities (that is, inconsistent state update bugs that are exploitable) in smart contracts, aiming to shed light for developers, researchers, tool builders, and language or library designers in order to avoid inconsistent state update vulnerabilities. We systematically investigate 116 inconsistent state update vulnerabilities in 352 real-world smart contract projects, summarizing their root causes, fix strategies, and exploitation methods. Our study provides 11 original and important findings, and we also give the implications of our findings. To illustrate the potential benefits of our research, we also develop a proof-of-concept checker based on one of our findings. The checker effectively detects issues in 64 popular GitHub projects, and 19 project owners have confirmed the detected issues at the time of writing. The result demonstrates the usefulness and importance of our findings for avoiding inconsistent state update vulnerabilities in smart contracts.

💡 Research Summary

This paper presents the first large-scale empirical study on “Inconsistent State Update Vulnerabilities” in Ethereum smart contracts. The research aims to demystify these vulnerabilities by systematically investigating their root causes, fix strategies, and exploitation methods, providing actionable insights for developers, researchers, tool builders, and language designers.

The study analyzes a substantial dataset of 116 real-world, exploitable inconsistent state update bugs (i.e., vulnerabilities) collected from 352 smart contract projects between 2021 and 2024, primarily sourced from the Code4rena audit competition. Each vulnerability was meticulously examined through its source code, bug reports, and fix patches.

The core findings are organized around three research questions:

1. Root Causes (RQ1): The vulnerabilities are categorized into four primary root causes. The most prevalent cause (47.4%) is “Delayed Update in Multi-step Operations,” where state variables are not updated immediately after a related operation, often occurring in permission synchronization. The second major cause (34.48%) is “Incorrect Update Logic,” involving improper call sequences or flawed boundary condition handling. Other significant causes include the “Absence of Necessary State Variables” and the “Lack of Explicit Initialization/Re-initialization.”
2. Fix Strategies (RQ2): The analysis of how developers patch these vulnerabilities reveals that the most common strategy (58.62%) is “Directly Modifying the Computation” on the unsafe state variables, particularly those related to timing. This strategy shows a strong correlation with the identified root causes, addressing the flawed logic directly.
3. Exploitation Methods (RQ3): The study classifies how attackers leverage these bugs. The dominant method (56.03%) is “Exploiting Numerical Calculation Errors,” where attackers magnify computational discrepancies for gain. The second most common method (23.28%) is “Using Repeated Transactions,” exploiting stale state data to obtain repeated benefits within a short period.

From this analysis, the authors derive 11 original and important findings. They highlight, for instance, that while fix strategies are closely tied to root causes, the correlation between causes and exploitation methods is weaker. The infamous “The DAO” attack is also contextualized within their classification as an “Interim State Exploit.”

To demonstrate the practical utility of their research, the authors developed a proof-of-concept checker based on one finding: detecting state variables that are neither declared constant/immutable nor ever reassigned, which may indicate update omissions or unnecessary gas consumption. Evaluating this checker on 208 active, popular GitHub projects revealed issues in 64 projects, with 19 project owners confirming the findings. This validation underscores the real-world applicability and importance of the research.

In conclusion, the paper argues that inconsistent state update vulnerabilities constitute a significant and under-addressed threat to smart contract security, as they involve complex inter-variable correlations that existing tools struggle to detect. The study’s comprehensive taxonomy, empirical insights, and practical tooling offer a foundational step towards better understanding, preventing, and detecting this class of vulnerabilities, ultimately contributing to more secure smart contract ecosystems.