Last updated: February 06, 2026

SCWE-120: Missing Return Data Length Validation

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-697: Incorrect Comparison
  https://cwe.mitre.org/data/definitions/697.html

Description

Low-level calls that decode return values without checking returndatasize can read zeroed or truncated data. Attackers can craft contracts that return short payloads so callers mis-interpret success flags, prices, or balances.

Remediation

• Verify returndatasize matches expected length before decoding.
• Prefer high-level interfaces that perform ABI decoding checks.
• Revert on unexpected return sizes and log anomalies.

Examples

Vulnerable

pragma solidity ^0.8.0;

(bool ok, bytes memory data) = token.staticcall(abi.encodeWithSignature("balanceOf(address)", user));
uint256 bal = abi.decode(data, (uint256)); // assumes length >= 32

Fixed

pragma solidity ^0.8.0;

(bool ok, bytes memory data) = token.staticcall(abi.encodeWithSignature("balanceOf(address)", user));
require(ok && data.length == 32, "bad returndata");
uint256 bal = abi.decode(data, (uint256));