This paper presents the first large-scale empirical study on inconsistent state update vulnerabilities in smart contracts—arising from concurrent execution or exceptional control-flow paths. We systematically analyze real-world contract code, exploit cases, and patch practices to identify root causes (e.g., non-atomic operations, state leakage after exceptions) and exploitation patterns, yielding 11 key findings. To address this, we propose a static detection method that jointly models control flow and state dependencies, implemented in a lightweight proof-of-concept tool, InconState. Evaluated on 64 mainstream open-source smart contracts, InconState identified 52 potential vulnerabilities; 19 were confirmed and patched by project maintainers. Our work provides foundational insights, a practical detection tool, and engineering guidelines for ensuring state consistency in smart contracts—bridging theory, tooling, and real-world remediation.

Smart contracts enable contract terms to be automatically executed and verified on the blockchain, and recent years have witnessed numerous applications of them in areas such as financial institutions and supply chains. The execution logic of a smart contract is closely related to the contract state, and thus the correct and safe execution of the contract depends heavily on the precise control and update of the contract state. However, the contract state update process can have issues. In particular, inconsistent state update issues can arise for reasons such as unsynchronized modifications. Inconsistent state update bugs have been exploited by attackers many times, but existing detection tools still have difficulty in effectively identifying them. This paper conducts the first large-scale empirical study about inconsistent state update vulnerabilities (that is, inconsistent state update bugs that are exploitable) in smart contracts, aiming to shed light for developers, researchers, tool builders, and language or library designers in order to avoid inconsistent state update vulnerabilities. We systematically investigate 116 inconsistent state update vulnerabilities in 352 real-world smart contract projects, summarizing their root causes, fix strategies, and exploitation methods. Our study provides 11 original and important findings, and we also give the implications of our findings. To illustrate the potential benefits of our research, we also develop a proof-of-concept checker based on one of our findings. The checker effectively detects issues in 64 popular GitHub projects, and 19 project owners have confirmed the detected issues at the time of writing. The result demonstrates the usefulness and importance of our findings for avoiding inconsistent state update vulnerabilities in smart contracts.