Unchecked Call Target
Detects external calls where the target address is user-controlled and not validated against known-safe addresses, enabling call redirection attacks.
Unchecked Call Target
Overview
The unchecked call target detector identifies CALL instructions where the target address is derived from user input (calldata or storage loaded without validation) and is not compared against any known-safe value before the call executes. This is distinct from the broader arbitrary external calls detector in that it focuses specifically on the target validation check, regardless of call type.
The Poly Network exploit ($611M, August 2021) and Parity wallet hack ($150M frozen) both involved calls to user-controlled addresses without validation.
Why This Is an Issue
When a contract calls an address chosen by the user, the target contract receives the caller’s msg.sender identity. This allows the target to impersonate the calling contract in interactions with third-party contracts. For protocols that use msg.sender as an authorization mechanism, this creates a privilege escalation chain.
How to Resolve
// Before: Vulnerable — target not validated
function relay(address target, bytes calldata data) external {
(bool success, ) = target.call(data);
require(success);
}
// After: Fixed — validate target against whitelist
mapping(address => bool) public trustedTargets;
function relay(address target, bytes calldata data) external {
require(trustedTargets[target], "Untrusted target");
(bool success, ) = target.call(data);
require(success);
}Detection Methodology
- Call instruction analysis: Identifies
CALL,STATICCALL, andDELEGATECALLinstructions. - Target taint tracking: Traces the target address operand to determine if it originates from user input.
- Validation check detection: Searches for
EQcomparisons of the target against constants or storage-loaded trusted addresses before the call. - Confidence scoring: No validation check yields highest confidence; partial validation (checking against one of several possible targets) yields medium confidence.
Limitations
False positives: Router contracts that intentionally accept arbitrary targets but validate them internally may be flagged. False negatives: Targets validated through complex mapping lookups may not be recognized as validated.
Related Detectors
- Arbitrary External Calls — broader arbitrary call detection
- Access Control — detects missing authorization