US DeFi Solidity interviews: how to explain external call risks without sounding textbook (reentrancy, reverts, gas griefing)

SmartContractGuru

SmartContractGuru

@SmartContractGuru
Updated: Feb 18, 2026
Views: 2.2K

In a recent US DeFi team Solidity interview (remote loop), I got asked: “What are the risks of making an external call in a smart contract, and how would you mitigate them?”
I gave the usual (reentrancy, gas issues, relying on another contract), but the feedback vibe was: “okay… but where’s your engineering judgment?”


I’m trying to upgrade this from generic web3 interview prep into an answer that sounds like I’ve shipped smart contract security decisions—not memorized a list.

I can point to a small change I made once (switching a payout flow to pull payments + adding a test for a revert-in-loop case), but I’m not sure how to frame it cleanly in an interview.

In my last Solidity developer interview, I got asked something like: “What are the risks of making an external call in a smart contract, and how would you mitigate them?”

I said the usual (reentrancy, gas issues, relying on another contract), but later I felt my answer was still a bit “checklist-y”.

If you’ve handled this in interviews: how do you explain external call risks in a way that sounds like real engineering judgment — not just buzzwords?


Do you explicitly talk about cases like external call reverts causing DoS, gas griefing, or the “control flow” problem (you hand execution to unknown code)? And do you mention Checks-Effects-Interactions, ReentrancyGuard, pull over push payments, or try/catch for external calls (>=0.6) as your mitigation structure?

Basically: what’s your go-to answer framework that actually stands out in Solidity interviews for web3 smart contract roles?

Like 6 Replies 5

Replies

Welcome, guest

Join ArtofBlockchain to reply, ask questions, and participate in conversations.

Sign up Log in

ArtofBlockchain powered by Jatra Community Platform

  • MakerInProgress

    MakerInProgress

    @MakerInProgress Sep 10, 2025

    I’ve had this asked in Solidity interviews too, and the thing that usually gets you “extra points” is not listing reentrancy first — it’s showing you understand what an external call actually does: you’re handing control + gas to unknown code.

    My structure is:

    Security: reentrancy (obvious), but also “any callback can run before your function finishes.”

    Reliability: external call can revert and block your flow (DoS), or burn gas (gas griefing), or return weird values.

    Design: you’ve coupled your core path to someone else’s contract behavior + upgrade choices.

    Then I close with mitigations as a hierarchy: Checks-Effects-Interactions, ReentrancyGuard, pull over push payments, and when you must call out, use try/catch (>=0.6) + fail-soft patterns (emit event, queue payout, circuit breaker). That “answer structure” is what makes it sound like engineering judgment, not a security checklist.

  • AnitaSmartContractSensei

    AnitaSmartContractSensei

    @SmartContractSensei Sep 10, 2025

    One angle interviewers quietly test is: “Do you understand that external call risk isn’t only ‘hacks’?”

    Even if you’re safe on reentrancy, external dependencies fail in boring ways: contract paused, upgraded, proxy changed, a token with non-standard behavior, or a protocol changing return values. In production those show up as random reverts, stuck funds, or payouts that silently fail. So in external call risks I always mention “revert/DoS” + “dependency drift”.

    Mitigation isn’t only nonReentrant. Sometimes the best mitigation is design: don’t do the external call in the critical path, store intent, let users claim (pull), and put a timeout / retry window. In interviews, saying “I’d rather queue the payout than revert the whole function because of one failing receiver” usually lands well.

  • MakerInProgress

    MakerInProgress

    @MakerInProgress Jan 15, 2026

    Also watch the “gotcha” variations of this question. Some interviewers aren’t asking about call{value:} at all — they’re fishing for whether you understand which external call is dangerous and why.

    If the code uses delegatecall, that’s a different beast: you execute their code in your storage context. That’s where people bring up upgradeable proxy risks, storage collisions, and why you must trust the implementation address and guard upgrades. Even with a plain external call, the subtler risk is state assumptions: you might assume balances/flags are unchanged, but the callee can re-enter or cause side-effects before your function finishes.

    What I say in interviews: “I treat any external call as an untrusted boundary. I isolate it, minimize what happens after it, and I make failures non-fatal where possible.” Then I name the patterns (CEI, pull payments, try/catch, reentrancy guard) and give a tiny example like “payout loop becomes DoS if one receiver reverts.” That tiny example is what makes your answer feel real.

  • Shubhada Pande

    Shubhada Pande

    @ShubhadaJP Jan 17, 2026

    A pattern I keep seeing in Solidity interviews is that candidates name external call risks correctly, but they don’t describe the decision boundary: what invariant you’re protecting, what failure mode you expect (revert/false/callback), and what your fallback plan is. That’s usually the difference between “knows the terms” and “can ship safely.”

    If you’re prepping for smart contract security interviews, you’ll probably like these related threads/resources:

    Smart Contract Interview Prep Hub: 

    https://artofblockchain.club/discussion/smart-contract-interview-prep-hub

    Common Smart Contract Security Mistakes (how interviewers probe depth):

    https://artofblockchain.club/discussion/how-to-answer-common-smart-contract-security-mistakes-in-blockchain-auditor-interviews

    Quick sanity check on callback surfaces: 

    https://artofblockchain.club/quiz/why-are-fallback-functions-dangerous

    Debugging framework (because many “external call” answers collapse under follow-ups):

    https://artofblockchain.club/article/a-clear-framework-for-debugging-solidity-errors-that-keep-reappearing-in-interviews

  • DeFiArchitect

    DeFiArchitect

    @DeFiArchitect Feb 18, 2026

    One thing I like from the first reply is the framing: an external call isn’t a “line of code”, it’s handing control + gas to unknown code — that’s the mental model. On US DeFi team loops (especially for remote web3 jobs), I’ve noticed interviewers want you to say what you do when the call fails in production (queue, emit, partial progress), not just “use nonReentrant”.

    For folks interviewing with US protocol teams: do you lean into failure-mode stories (like revert-in-loop DoS), or do you keep it more “framework-y” because that’s closer to what recruiters look for in crypto jobs?