Skip to content


DoS with Failed Call


CWE-703: Improper Check or Handling of Exceptional Conditions


External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its own transaction that can be initiated by the recipient of the call. This is especially relevant for payments, where it is better to let users withdraw funds rather than push funds to them automatically (this also reduces the chance of problems with the gas limit).


It is recommended to follow call best practices:

  • Avoid combining multiple calls in a single transaction, especially when calls are executed as part of a loop
  • Always assume that external calls can fail
  • Implement the contract logic to handle failed calls




 * @source:
 * @author: ConsenSys Diligence
 * Modified by Bernhard Mueller

pragma solidity 0.4.24;

contract Refunder {

address[] private refundAddresses;
mapping (address => uint) public refunds;

    constructor() {

    // bad
    function refundAll() public {
        for(uint x; x < refundAddresses.length; x++) { // arbitrary length iteration based on how many addresses participated
            require(refundAddresses[x].send(refunds[refundAddresses[x]])); // doubly bad, now a single failure on send will hold up all funds