top of page

What Is Unchecked External Call in Smart Contracts?

  • Apr 21
  • 5 min read

Unchecked external calls are a common security risk in smart contract development. They occur when a contract calls another contract or address without verifying the success of that call. This can lead to unexpected failures or exploits that compromise contract logic and funds.

Understanding unchecked external calls is essential for anyone working with Ethereum or similar blockchain platforms. This article explains what unchecked external calls are, why they are dangerous, and how to handle them safely.

What is an unchecked external call in smart contracts?

An unchecked external call happens when a smart contract sends a message or transfers funds to another contract or address but does not verify if the call succeeded. In Solidity, this often occurs when using low-level functions like call(), send(), or transfer() without checking their return values.

Unchecked calls ignore whether the external contract executed correctly or reverted due to errors. This can cause the calling contract to continue execution as if everything went fine, leading to inconsistent states or lost funds.

  • Definition of unchecked call: It is a call to an external contract where the success or failure result is not checked or handled, risking silent failures.

  • Common Solidity functions involved: call(), send(), and transfer() are low-level functions that require checking their boolean return values to confirm success.

  • Difference from checked calls: Checked calls explicitly verify the return value or use try/catch to handle failures, preventing unexpected behavior.

  • Why it matters: Ignoring call results can lead to bugs, loss of funds, or security vulnerabilities like reentrancy attacks.


Unchecked external calls are a subtle but critical issue in smart contract security. Developers must always verify external call results to maintain contract integrity.

How do unchecked external calls cause security vulnerabilities?

Unchecked external calls can open the door to several security problems. When a contract does not confirm that an external call succeeded, it may assume funds were transferred or actions completed when they were not. Attackers can exploit this to manipulate contract state or drain assets.

One of the most notorious vulnerabilities related to unchecked calls is the reentrancy attack, where an attacker repeatedly calls back into a contract before its state updates, causing inconsistent balances.

  • Reentrancy attacks: Unchecked calls allow attackers to reenter the contract during an external call, exploiting the contract's inconsistent state.

  • Silent failures: If a call fails silently, the contract may proceed with incorrect assumptions, leading to logic errors or lost funds.

  • Denial of service risks: External calls may fail due to gas limits or revert reasons, and unchecked calls ignore these failures, causing unexpected behavior.

  • Loss of funds: When sending Ether without checking success, funds may not transfer but the contract assumes they did, leading to discrepancies.


Unchecked external calls are a common root cause of many high-profile smart contract exploits. Proper handling is essential to secure contracts.

What are the common Solidity functions that involve unchecked external calls?

In Solidity, several functions are used to interact with other contracts or addresses. Some of these require explicit checks to ensure the call succeeded. Failure to check their return values leads to unchecked external calls.

Understanding these functions helps developers write safer contracts by handling call results properly.

  • call(): A low-level function that forwards all remaining gas and returns a boolean indicating success; requires explicit checking.

  • send(): Sends 2300 gas and returns a boolean success value; must check the return to confirm Ether transfer.

  • transfer(): Similar to send() but reverts on failure; generally safer but can fail due to gas limits in some cases.

  • function calls via interfaces: Higher-level calls that revert on failure, reducing unchecked call risks but still require try/catch for error handling.


Developers should avoid using call() and send() without checking their results and prefer transfer() or interface calls with proper error handling.

How can you detect unchecked external calls in smart contract code?

Detecting unchecked external calls is crucial for auditing and securing smart contracts. Tools and manual code reviews can identify places where external calls are made without verifying success.

Recognizing unchecked calls helps prevent vulnerabilities before deployment.

  • Manual code review: Look for call(), send(), or transfer() functions without checking their boolean return values.

  • Static analysis tools: Use tools like Mythril, Slither, or Oyente that scan contracts for unchecked calls and other vulnerabilities.

  • Automated linters: Solidity linters can warn about missing checks on external call results during development.

  • Security audits: Professional audits include detection of unchecked external calls as part of vulnerability assessments.


Combining automated tools with manual review provides the best defense against unchecked external call vulnerabilities.

What are the best practices to prevent unchecked external calls?

Preventing unchecked external calls involves writing Solidity code that always verifies the success of external interactions. Following best practices reduces security risks and improves contract reliability.

These practices help maintain contract integrity and protect user funds.

  • Always check return values: When using call() or send(), verify the returned boolean and handle failures gracefully.

  • Prefer transfer() or interface calls: Use transfer() for Ether transfers and interface calls that revert on failure to reduce unchecked calls.

  • Use try/catch blocks: For external contract calls, use try/catch to handle errors and revert reasons explicitly.

  • Limit external calls: Minimize external calls in critical functions to reduce attack surface and complexity.


Adhering to these practices is essential for secure smart contract development and avoiding common pitfalls.

How do unchecked external calls compare to checked calls in terms of security?

Unchecked external calls pose significant security risks compared to checked calls. Checked calls verify success and handle failures, preventing many common exploits.

Understanding the difference helps developers choose safer coding patterns.

  • Unchecked calls risk failure: They ignore call results, allowing silent failures that can corrupt contract state or lose funds.

  • Checked calls ensure correctness: They verify success and revert or handle errors, maintaining consistent contract behavior.

  • Security implications: Checked calls reduce vulnerabilities like reentrancy and denial of service by managing external call outcomes.

  • Development complexity: Checked calls require more code but provide stronger guarantees and safer contracts.


Using checked external calls is a fundamental security measure that every smart contract developer should implement.

What tools can help you audit for unchecked external calls?

Several tools assist developers and auditors in detecting unchecked external calls and other vulnerabilities in smart contracts. These tools analyze Solidity code and bytecode to find risky patterns.

Using these tools improves contract security before deployment.

  • Slither: A static analysis tool that detects unchecked calls and provides detailed reports on contract issues.

  • Mythril: A security analysis tool that uses symbolic execution to find vulnerabilities including unchecked external calls.

  • Oyente: An early smart contract analyzer that flags unchecked calls and reentrancy risks.

  • Solhint: A Solidity linter that warns about missing checks on call results during development.


Integrating these tools into your development workflow helps catch unchecked external calls early and strengthens contract security.

Conclusion

Unchecked external calls are a critical security concern in smart contract development. They occur when contracts call external addresses without verifying success, leading to silent failures and vulnerabilities like reentrancy attacks.

Understanding unchecked external calls and how to detect and prevent them is essential for building secure blockchain applications. Always check external call results, use safer call methods, and leverage auditing tools to protect your contracts and users.

FAQs

What is an unchecked external call in Solidity?

An unchecked external call is when a contract calls another contract or address without verifying if the call succeeded, often by ignoring the boolean return value of call(), send(), or transfer().

Why are unchecked external calls dangerous?

They can cause silent failures, inconsistent contract states, and enable attacks like reentrancy, risking loss of funds and contract malfunction.

How can I avoid unchecked external calls in my smart contract?

Always check the return value of external calls, prefer transfer() or interface calls, and use try/catch blocks to handle errors properly.

Which tools detect unchecked external calls?

Tools like Slither, Mythril, Oyente, and Solhint analyze contracts to find unchecked external calls and other security issues.

Can unchecked external calls cause reentrancy attacks?

Yes, unchecked calls can allow attackers to reenter a contract before state updates, exploiting inconsistent states and causing reentrancy vulnerabilities.

Recent Posts

See All
What is Honeypot Token?

Learn what a Honeypot Token is, how it works, its risks, and how to spot and avoid these crypto scams effectively.

 
 
 
What Is Volume Bot Scam?

Learn what a volume bot scam is, how it works, and how to protect yourself from fake trading volumes in crypto markets.

 
 
 

Comments

bottom of page