🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Unchecked External Calls

Unchecked External Calls in smart contracts occur when a contract calls external contracts or addresses without validating input, handling return values, or controlling gas usage, enabling attackers to execute reentrancy attacks, steal funds, or manipulate contract state.

Remediation

  • Use checks-effects-interactions pattern: update internal state before making external calls.
  • Validate external addresses and restrict calls to known, trusted contracts when possible.
  • Handle and check return values from external calls; do not assume success.
  • Limit gas forwarded to external calls to prevent unexpected execution or reentrancy.
  • Consider using call, delegatecall, or send safely with proper error handling and guards.

Metadata

  • Severity: medium
  • Slug: unchecked-external-calls

CWEs

  • 284: Improper Access Control
  • 841: Improper Enforcement of Behavioral Workflow

OWASP

  • SC06:2025: Unchecked External Calls

Available Labs

Select a language to explore available labs for this vulnerability.

No matching labs found

Try adjusting your language filter.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.