26 Apr, 2023

Unchecked Call Return Value (SWC-104)

Description

It is important to always check the return value of a message call in order to ensure that the execution of the contract proceeds as expected. If the called contract throws an exception, and the return value is not checked, the execution may continue, leading to unexpected behavior in the contract. This could be due to an accidental failure or an attacker who maliciously forces the call to fail. Therefore, it is essential to incorporate appropriate error handling mechanisms to prevent these issues from occurring. Failure to check the return value of a message call may result in security vulnerabilities that can be exploited by attackers to manipulate the system in unintended ways.

Remediation

If you choose to use low-level call methods, it is important to handle the possibility that the call may fail. One way to do this is to check the return value of the call to ensure that it executed successfully. If the call fails, an exception will be thrown and any subsequent program logic may behave unexpectedly. By checking the return value, you can ensure that your smart contract handles exceptions in a graceful and secure manner.

Contract Samples

Code with a vulnerability

				
					pragma solidity 0.4.25;
contract ReturnValue {
  function callchecked(address callee) public {
    require(callee.call());
  }
  function callnotchecked(address callee) public {
    callee.call();
  }
}

				
			

Tools for scaning SWC-104

1. Mythril: This is a popular open-source security analysis tool that can detect various types of vulnerabilities, including SWC-104.

2. Slither: Another popular open-source tool for analyzing smart contracts. It can detect a wide range of issues, including SWC-104.

3. Securify: A tool developed by ETH Zurich that can identify several types of security vulnerabilities, including SWC-104.

4. SmartCheck: A commercial tool that can analyze smart contracts for various security issues, including SWC-104.

5. Oyente: An open-source tool that can analyze smart contracts and detect various types of vulnerabilities, including SWC-104.

The Common Weakness Enumeration (CWE)

CWE-252: Unchecked Return Value

Mitigation for SWC-104

1. Use up-to-date versions of external contracts that are known to be secure and have undergone thorough security audits.

2. Avoid using external contracts that are not well-established or do not have a reputation for security and reliability.

3. Use careful coding practices to ensure that the contract interacts with external contracts in a secure manner, such as validating inputs and outputs and implementing error handling and recovery procedures.

4. Implement appropriate access controls to ensure that only authorized parties can interact with the external contract.

5. Consider using a proxy contract that acts as an intermediary between the contract and the external contract, which can help to limit the damage caused by an attack.

Conclusion

SWC-104 is a vulnerability that can occur when a contract implements a fallback function that is not payable. To prevent this vulnerability, developers should ensure that their fallback functions are payable and handle unexpected ether transfers appropriately. This can be done by implementing a simple error message or reverting the transaction if the function is called with an unexpected amount of ether. Scanning tools and manual code reviews can also be used to detect and prevent this vulnerability.

Other Services

Ready to secure?

Let's get in touch