Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/unchecked-return-values

Name: unchecked-return-values
Author: apegurus

skills/vulnerability-patterns/unchecked-return-values/SKILL.md

npx skillsauth add apegurus/solidity-argus unchecked-return-values

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Unchecked Return Values

Preconditions

Contract uses low-level calls: .call(), .send(), or .delegatecall()
The boolean return value indicating success/failure is not checked
State changes occur after the unchecked call, assuming it succeeded

Vulnerable Pattern

function withdraw(uint256 amount) external {
    // .send() returns false on failure but does NOT revert
    msg.sender.send(amount); // Return value ignored
    balances[msg.sender] -= amount; // State updated even if send failed
}

function payout(address to, uint256 amount) external {
    // .call() return value captured but never checked
    (bool success,) = to.call{value: amount}("");
    // success could be false, but execution continues
    totalPaid += amount;
}

Detection Heuristics

Search for all .call(, .send(, .delegatecall( invocations
For each, check whether the returned boolean is captured AND checked (e.g., require(success), if (!success) revert)
If the return value is captured but never referenced again, flag it
If the return value is not captured at all (e.g., bare addr.send(amount);), flag it
Check for state changes after unchecked calls — these create inconsistent state on silent failure

False Positives

Return value is checked with require(success) or equivalent
The call is intentionally fire-and-forget (documented, no state depends on success) — rare but valid
Using Solidity's high-level function calls (e.g., IERC20(token).transfer(...)) which auto-revert on failure

Remediation

Always check the return value: require(success, "call failed")
For ETH transfers to untrusted recipients, consider a pull-payment pattern to avoid DoS if the recipient deliberately reverts
Prefer high-level Solidity calls when interacting with known interfaces

function withdraw(uint256 amount) external {
    balances[msg.sender] -= amount;
    (bool success,) = msg.sender.call{value: amount}("");
    require(success, "ETH transfer failed");
}

apegurus/unchecked-return-values

skills/vulnerability-patterns/unchecked-return-values/SKILL.md

Contract uses low-level calls: .call(), .send(), or .delegatecall()

testing

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus unchecked-return-values

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:31 AM170.4s1 file scanned

SKILL.md

name:: unchecked-return-values
description:: send return value can fail silently if unchecked
pattern_category:: logic-error
- regex:: \.send\(
severity:: Medium
confidence:: High
swc:: SWC-104

Unchecked Return Values

Preconditions

Contract uses low-level calls: .call(), .send(), or .delegatecall()
The boolean return value indicating success/failure is not checked
State changes occur after the unchecked call, assuming it succeeded

Vulnerable Pattern

function withdraw(uint256 amount) external {
    // .send() returns false on failure but does NOT revert
    msg.sender.send(amount); // Return value ignored
    balances[msg.sender] -= amount; // State updated even if send failed
}

function payout(address to, uint256 amount) external {
    // .call() return value captured but never checked
    (bool success,) = to.call{value: amount}("");
    // success could be false, but execution continues
    totalPaid += amount;
}

Detection Heuristics

Search for all .call(, .send(, .delegatecall( invocations
For each, check whether the returned boolean is captured AND checked (e.g., require(success), if (!success) revert)
If the return value is captured but never referenced again, flag it
If the return value is not captured at all (e.g., bare addr.send(amount);), flag it
Check for state changes after unchecked calls — these create inconsistent state on silent failure

False Positives

Return value is checked with require(success) or equivalent
The call is intentionally fire-and-forget (documented, no state depends on success) — rare but valid
Using Solidity's high-level function calls (e.g., IERC20(token).transfer(...)) which auto-revert on failure

Remediation

Always check the return value: require(success, "call failed")
For ETH transfers to untrusted recipients, consider a pull-payment pattern to avoid DoS if the recipient deliberately reverts
Prefer high-level Solidity calls when interacting with known interfaces

function withdraw(uint256 amount) external {
    balances[msg.sender] -= amount;
    (bool success,) = msg.sender.call{value: amount}("");
    require(success, "ETH transfer failed");
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/unchecked-return-values ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT