Vulnerabilities

Unchecked Return Value

An unchecked return value bug happens when code ignores whether a low-level call or token operation succeeded.

The contract assumes an action worked even though the called contract may have returned failure.

Unchecked Return Value Explained in Detail

An unchecked return value bug appears when a contract calls another address and ignores the result. Low-level calls return a boolean instead of automatically reverting. Some ERC-20 tokens also return false instead of reverting.

If the caller keeps executing, accounting may update as if funds moved even when the transfer failed.

Smart contract example

The call below ignores ok:

function pay(address user, uint256 amount) external {
    (bool ok,) = user.call{value: amount}("");
    // ok is ignored
    paid[user] += amount;
}

The contract records the payment even if the Ether transfer failed.

Unchecked Return Value in Auditing

Unchecked return values break accounting assumptions. They often appear near external calls, token transfers, refunds, batch payouts, and integrations with non-standard tokens.

Red flags in code

  • call, delegatecall, staticcall, or send result is ignored.

  • ERC-20 transfer, transferFrom, or approve result is ignored.

  • Accounting updates happen after a call without checking success.

  • Batch payout loop continues after failed transfers.

  • Code uses low-level calls where a typed interface would be safer.

How to test or review it

  • Search for low-level calls and verify the success flag is checked.

  • Test with a receiver that reverts or consumes gas.

  • Test with a token that returns false without reverting.

  • Verify accounting only updates after successful transfers.

  • Prefer safe token wrappers when reviewing ERC-20 approval and transfer flows.

Sources