Skip to main content

Overview

Unchecked low-level calls occur when Solidity’s low-level functions (call, delegatecall, staticcall) are used without properly verifying their return values.
Failed low-level calls return false instead of reverting. If not checked, transactions appear successful while silently failing.

The Risk

Low-level calls in Solidity don’t automatically revert on failure. If the return value isn’t checked:
  • Funds can be “sent” but never arrive
  • State changes occur based on failed operations
  • Users lose assets without error messages

Vulnerable Patterns

Unchecked Call

Unchecked Delegatecall

Unchecked Transfer

Safe Patterns

Check Return Value

Use SafeERC20

Use Transfer/Send (Limited)

Detection Tags

API Response Example

Why Low-Level Calls?

Despite risks, low-level calls are sometimes necessary:
transfer() and send() forward only 2300 gas, which may not be enough for receiving contracts with complex fallback functions.