Unchecked Call Return Value: A Silent but Dangerous Vulnerability in Smart Contracts
In the world of smart contract security, one commonly overlooked issue is the Unchecked Call Return Value vulnerability. This problem arises when developers use low-level functions such as call, delegatecall, or staticcall,but fail to verify whether the call succeeded or failed.
While the contract continues its operations as if everything went smoothly, in reality, the call may have silently failed,opening the door to bugs, logic errors, or even deliberate exploitation by attackers.
What Is the Unchecked Call Return Value Vulnerability?
When a smart contract uses low-level calls without checking their return values, it assumes success, even if the external contract throws an error or reverts. The execution continues blindly, possibly modifying the contract's state or proceeding with incorrect logic based on a failed transaction.
This silent failure can be either accidental, like a bug in the called contract, or intentional, where an attacker forces the call to fail in order to exploit the program's assumptions.
Example:
solidity
(bool success, ) = someContract.call(abi.encodeWithSignature("transfer(address,uint256)", recipient, amount)); // BAD: not checking `success` result
In the above code, if someContract fails to transfer tokens, the code continues as if it worked,causing inconsistencies or loss of funds.
Why Is This Vulnerability Dangerous?
Unchecked external calls can lead to a range of serious issues:
-
Loss of Funds: If a payment or transfer fails but the contract continues processing, users may lose money or receive nothing in return.
-
Incorrect Contract State: The system may update balances, ownerships, or logs based on the assumption that the operation succeeded.
-
Attack Surface Expansion: Attackers can exploit these assumptions to trigger reentrancy, denial of service, or manipulate state variables indirectly.
How to Prevent Unchecked Call Return Vulnerabilities
✅ Always Check Return Values
Whenever you use low-level calls like call, delegatecall, or staticcall, inspect the return value to determine if the operation succeeded.
solidity
(bool success, ) = someContract.call(...); require(success, "Call failed"); // GOOD: Ensures safety
✅ Prefer Higher-Level Functions
Use standard Solidity constructs or interfaces (like ERC-20’s transfer or approve) where errors are automatically propagated. Avoid low-level functions unless absolutely necessary.
✅ Add Fallback Logic
If the call can fail gracefully, implement fallback or recovery logic to handle failures securely and inform users appropriately.
✅ Use Audited Libraries
Consider using audited smart contract libraries like OpenZeppelin, which often handle low-level calls safely by default.
With AuditLensPlus, you can uncover vulnerabilities in your smart contracts quickly and cost-effectively, empowering you to take the right steps toward more secure and robust code.
Final Thoughts
Unchecked call return values are the silent killers of Solidity contracts. They often go unnoticed until it’s too late,when money is lost, or state corruption occurs.
Smart contract developers must treat every external call with suspicion. Always check your assumptions, verify return values, and follow secure coding practices.
Our Recommendation:
References:
https://swcregistry.io/docs/SWC-104
