Last updated: February 06, 2026

SCWE-122: Calldata Length Not Validated Before Decode

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-20: Improper Input Validation
  https://cwe.mitre.org/data/definitions/20.html

Description

Functions that abi.decode calldata without first checking expected length can revert unpredictably or read malformed inputs. Attackers can craft short calldata to trigger reverts that lock functionality or bypass logic that runs before decode.

Remediation

• Validate msg.data.length against expected sizes (including selector).
• Prefer Solidity typed arguments but still guard against undersized calldata on low-level entrypoints.
• Reject unexpected trailing data when strict parsing is required.

Examples

Vulnerable

pragma solidity ^0.8.0;

function execute(bytes calldata data) external {
    (address to, uint256 amount) = abi.decode(data, (address, uint256));
    // ...
}

Fixed

pragma solidity ^0.8.0;

function execute(bytes calldata data) external {
    require(data.length == 64, "bad length"); // selector handled elsewhere
    (address to, uint256 amount) = abi.decode(data, (address, uint256));
}