Arbitrary Low-Level Call
Description
An attacker may perform a call to an arbitrary address with controlled calldata, potentially leading to unauthorized actions or data manipulation.
Examples
Insecure Code
solidity
function vuln(address addr, bytes calldata data) public { addr.call(data); }Secure Code
solidity
function secure(address addr, bytes calldata data) public { require(addr == authorizedAddress, 'Unauthorized address'); addr.call(data); }Remediation
Validate and sanitize user input for the address and calldata to prevent unauthorized calls.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0656 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-20 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | MODERATE |
| Tags | smart contract, ethereum |
| OWASP | N/A |
References
- https://x.com/DecurityHQ/status/1813195945477087718
- https://etherscan.io/address/0x73a499e043b03fc047189ab1ba72eb595ff1fc8e
- https://twitter.com/Beosin_com/status/1509099103401127942
- https://blocksecteam.medium.com/li-fi-attack-a-cross-chain-bridge-vulnerability-no-its-due-to-unchecked-external-call-c31e7dadf60f
- https://twitter.com/SlowMist_Team/status/1508787862791069700
- https://etherscan.io/address/0xe7597f774fd0a15a617894dc39d45a28b97afa4f
- https://twitter.com/CertiKAlert/status/1512198846343954445