staticcall: Definition, Smart Contract Example & Audit Notes

staticcall

staticcall is a low-level EVM call that allows reading data from another contract but reverts if the callee attempts to modify state.

staticcall is a read-only external call, but the data it returns can still be wrong or manipulated.

staticcall Explained in Detail

staticcall is a low-level call that forbids state changes in the callee. It is often used for interface probing, oracle reads, and generic view calls.

Read-only does not mean trustworthy. The called contract can still return manipulated, malformed, or stale data.

Smart contract example

(bool ok, bytes memory data) = oracle.staticcall(payload);

The caller still needs to check ok and decode data safely.

staticcall in Auditing

Protocols often use staticcall to read prices, balances, permissions, or configuration. If the return value is trusted blindly, attackers may exploit bad data or failed calls.

Auditors review read paths that influence state-changing decisions.

Red flags in code

Failed staticcall is treated as a valid zero value.
Return data length is not checked.
Calls target user-controlled contracts.
Oracle data is read after manipulable state changes.
Gas-heavy view functions can grief callers.

How to test or review it

Test success, revert, short return data, and malformed return data.
Manipulate oracle or pool state before the read.
Check whether read-only reentrancy can expose inconsistent values.
Constrain trusted targets.
Decode return values only after validating success and length.

Sources

https://docs.soliditylang.org/en/latest/types.html#members-of-addresses