Last updated: March 11, 2025

SCWE-048: Unchecked Call Return Value

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-390: Detection of Error Condition Without Action
  https://cwe.mitre.org/data/definitions/390.html

Description

Unchecked call return value vulnerabilities occur when a contract fails to validate the success or failure of low-level calls, such as call, delegatecall, and staticcall. Ignoring the return values of these calls can result in undetected errors, allowing malicious or unintended actions to succeed silently.

Remediation

• Check return values: Always verify the success of low-level calls.
• Use higher-level abstractions: Prefer transfer or send over call for sending Ether, as they revert on failure.

Examples

Vulnerable Contract Example

pragma solidity ^0.4.0;

contract UncheckedCall {
    function sendEther(address _recipient) public payable {
        _recipient.call.value(msg.value)(); // Unchecked call, no error handling
    }
}

Fixed Contract Example

pragma solidity ^0.8.0;

contract CheckedCall {
    function sendEther(address payable _recipient) public payable {
        (bool success, ) = _recipient.call{value: msg.value}("");
        require(success, "Transfer failed");
    }
}