Tutorial 59: Low-Level Calls in Solidity Returning True for Non-Existent Contracts
In Solidity, low-level calls (call, delegatecall, and staticcall) offer a flexible way to interact with external contracts. These functions enable developers to send arbitrary data, value, or code execution to other addresses, making them powerful tools in decentralized application development. However, their flexibility comes with a significant risk: they return true even when the target address is non-existent.
This design feature of the Ethereum Virtual Machine (EVM) can lead to vulnerabilities if developers do not adequately check whether the target address is a valid contract. If unchecked, low-level calls can return success (true) while silently failing or pointing to an address with no code. This false indication of success can cause severe issues in smart contract logic, leading to potential exploits, loss of funds, or other unintended behavior.
In this tutorial, we will explore the vulnerabilities related to low-level calls returning true even for non-existent contracts, understand the impact of this issue, and discuss best practices for mitigating such risks.
Last updated