With the rapid development of blockchain, decentralized applications (DApps) have attracted massive funds due to their convenient interactive services. Recently, the increasing market value of DApps has also attracted many malicious actors to exploit smart contract vulnerabilities for launching attacks. Moreover, as smart contracts utilize more state variables to support complex functionalities, some vulnerabilities require specific states to trigger (marked as \textit{vulnerable state}), and bring new challenges to the vulnerability detection task. Although many smart contract fuzzers have been proposed for vulnerability detection, they still face limitations due to their inability to efficiently explore smart contract state spaces.

To address this challenge, we propose a novel fuzzer, Odyssey, with fine-grained state modeling and exploration, which efficiently explores smart contract state and increases the probability of reaching \textit{vulnerable state}. We improve the efficacy of the fuzzer with two key mechanisms: (1) we model an essential state space consisting of the variables related to sensitive operations for compressing the exploration scope; (2) we design a state-aware exploration strategy to identify test seeds that cover new state scope or cause interesting state transitions, thereby improving the efficiency of exploration.

To evaluate the performance in vulnerability detection, we adopt Odyssey to a labeled benchmark consisting of 130 vulnerable contracts. Odyssey detects at least 70% more vulnerabilities than other fuzzers. Moreover, we evaluate Odyssey on a dataset that consists of 143 DApps (involving 437 contracts) from real-world security incidents. The experimental results demonstrate that state-aware feedback enhances the ability of Odyssey in state exploration by achieving 19% higher state coverage. Meanwhile, Odyssey successfully finds 15 exploits of vulnerabilities in real-world attacks, showing its advantage in detecting real-world vulnerabilities.