Skip to main content

Overview

Malicious external calls are contract interactions that can be exploited to steal funds, manipulate state, or enable other attacks.

Types of Malicious External Calls

Arbitrary External Call

Allows calling any contract with any data, enabling theft.
Attack: Owner calls token.transfer(attacker, balance) on any token.

Unprotected Delegatecall

Delegatecall executes external code in the context of the calling contract.
Attack: Attacker provides malicious implementation that modifies storage.

Callback to Untrusted Contract

Calling user-provided addresses without validation.
Attack: Callback contract re-enters or manipulates state.

Approve and Call Patterns

Combining approvals with external calls.
Attack: Malicious router drains all approved tokens.

Safe Patterns

Whitelist External Calls

Validate Callback Addresses

Limited Approvals

Detection Tags

API Response Example

Prevention Checklist

  • Whitelist allowed external call targets
  • Validate all callback addresses
  • Use exact approval amounts, not unlimited
  • Avoid delegatecall to user-provided addresses
  • Implement reentrancy guards around external calls