Overview
Unchecked low-level calls occur when Solidity’s low-level functions (call, delegatecall, staticcall) are used without properly verifying their return values.
Failed low-level calls return false instead of reverting. If not checked, transactions appear successful while silently failing.
The Risk
Low-level calls in Solidity don’t automatically revert on failure. If the return value isn’t checked:
- Funds can be “sent” but never arrive
- State changes occur based on failed operations
- Users lose assets without error messages
Vulnerable Patterns
Unchecked Call
Unchecked Delegatecall
Unchecked Transfer
Safe Patterns
Check Return Value
Use SafeERC20
Use Transfer/Send (Limited)
API Response Example
Why Low-Level Calls?
Despite risks, low-level calls are sometimes necessary:
transfer() and send() forward only 2300 gas, which may not be enough for receiving contracts with complex fallback functions.