myctrl.tools

SC06Unchecked External Calls

>Control Description

Unchecked external calls occur when a smart contract invokes another contract or address via `call`, `delegatecall`, `staticcall`, or high-level calls like `transfer`/`send` without fully accounting for the callee's behavior, return value, or reentrancy potential. The calling contract assumes the callee will behave correctly, return success, avoid re-entering, and not execute arbitrary logic. This vulnerability affects all contract types performing external interactions: DeFi protocols (token transfers, DEX swaps, vault deposits, flash loan callbacks), NFTs (transfers with hooks, marketplace payouts), DAOs (proposal execution), bridges (message relay, asset transfers), and composable protocols (callbacks, ERC-777/721/1155 receiver hooks, ERC-4626 hooks). **Exploitation Methods:** - Reentrancy: implementing malicious logic in callbacks or token transfer hooks - Silent failures: ignoring return values (e.g., non-returning ERC-20s) leaving state inconsistent - Unexpected code execution: calling user-supplied or protocol-configurable addresses

>Prevention & Mitigation Strategies

  1. 1.Treat all external calls as untrusted — even standard tokens or well-known protocols can be upgraded or replaced.
  2. 2.Use the checks-effects-interactions pattern: validate pre-conditions, update internal state, then perform external calls.
  3. 3.Prefer pull over push for payments — allow users to withdraw rather than pushing funds to arbitrary addresses in loops.
  4. 4.Check return values and handle failure modes; use libraries like OpenZeppelin's SafeERC20 to wrap token operations.
  5. 5.Be extremely careful with low-level calls (call, delegatecall, callcode) and arbitrary callbacks (hooks, onERC721Received, onFlashLoan).

>Attack Scenarios

#1GMX (July 2025, $42M loss)

The executeDecreaseOrder function transferred control to an attacker-supplied contract address during the refund process, enabling reentrancy. External call ordering, lacking proper checks, and trust in callee assumptions amplified impact.

#2Arcadia Finance (July 2025, $3.5M loss)

The SwapLogic._swapRouter() and RebalancerSpot contracts allowed arbitrary external calls to user-supplied router addresses via swapData parameters, without validating the callee. The protocol assumed routers lacked elevated permissions — an assumption not enforced in code. Unchecked callbacks enabled the drain.

>References

Ask AI

Configure your API key to use AI features.