callcode: Definition, Smart Contract Example & Audit Notes

callcode

callcode is a deprecated EVM instruction that executes another account's code in the caller's storage context with legacy call semantics.

callcode is an old delegatecall-like feature that modern contracts should almost never use.

callcode Explained in Detail

callcode is a legacy EVM instruction that runs code from another address while using the caller's storage. It is similar to delegatecall, but with older semantics around call context.

Modern Solidity code should not use it in normal application logic.

Smart contract example

CALLCODE target with caller storage

If the target code writes storage, it writes into the caller's storage layout.

callcode in Auditing

callcode matters mostly in legacy contracts or inline assembly. It can corrupt storage and create takeover risk if the target is attacker-controlled or layout assumptions are wrong.

Auditors treat any callcode usage as high-risk until proven safe.

Red flags in code

Any use of callcode in modern code.
User-controlled target address.
Library storage layout is not fixed or reviewed.
Contract assumes callcode behaves exactly like delegatecall.
Inline assembly hides the opcode.

How to test or review it

Search bytecode and assembly for CALLCODE.
Prove target addresses cannot be attacker-controlled.
Test storage corruption with a malicious callee.
Compare call context assumptions with actual EVM behavior.
Prefer replacing legacy patterns with reviewed modern alternatives.

Sources

https://docs.soliditylang.org/en/latest/introduction-to-smart-contracts.html#delegatecall-and-libraries