Unchecked External Calls

Unchecked External Calls in smart contracts occur when a contract calls external contracts or addresses without validating input, handling return values, or controlling gas usage, enabling attackers to execute reentrancy attacks, steal funds, or manipulate contract state.

Remediation

Use checks-effects-interactions pattern: update internal state before making external calls.
Validate external addresses and restrict calls to known, trusted contracts when possible.
Handle and check return values from external calls; do not assume success.
Limit gas forwarded to external calls to prevent unexpected execution or reentrancy.
Consider using `call`, `delegatecall`, or `send` safely with proper error handling and guards.

Metadata

Severity: medium
Slug: unchecked-external-calls

CWEs

284: Improper Access Control
841: Improper Enforcement of Behavioral Workflow

OWASP

SC06:2025: Unchecked External Calls

Available Labs

Select a language to explore available labs for this vulnerability.

1 Lab

Solidity Labs

Solidity 1 lab

Explore 1 lab in Solidity.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.