If your smart contract calls another contract or address and doesn’t verify the response, you’re toast.
Risk:
Hackers can force your contract into thinking something succeeded… even when it failed.
Fix:
Always check the return value of low-level calls:
(bool success, ) = addr.call(...);
require(success, "Call failed");4. 🏰 Access Control Misconfigurations
One wrong “onlyOwner” and you might as well hand your protocol to the hackers.
Scenarios we’ve seen in 2025:
- Admin wallets hardcoded & leaked
- No time locks on critical functions
- Upgrade functions callable by anyone
Cost to teams: Reputation loss, FUD, token dumps, delisting from exchanges.
About Author
