Last updated: February 06, 2026

SCWE-154: Calldata Decode Without Length Check

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-20: Improper Input Validation
  https://cwe.mitre.org/data/definitions/20.html

Description

Decoding calldata or bytes with abi.decode without first verifying the input length can cause unexpected reverts. In modern Solidity (0.4.22+), abi.decode with data shorter than expected reverts due to bounds checking; malformed or incorrectly typed data can produce wrong values. SCWE-122 covers calldata length validation; this weakness addresses the broader pattern of decoding without length checks.

Remediation

• Validate data.length >= expectedLength before abi.decode.
• Use abi.decode with the correct type and ensure the encoded data matches.

Examples

Vulnerable

pragma solidity ^0.8.0;

contract Decoder {
    function decodeAndUse(bytes calldata data) external {
        (address recipient, uint256 amount) = abi.decode(data, (address, uint256));
        // If data is too short, decode reverts; malformed data can produce wrong values
        transfer(recipient, amount);
    }
}

Fixed

function decodeAndUse(bytes calldata data) external {
    require(data.length >= 32 + 32, "Invalid data length");
    (address recipient, uint256 amount) = abi.decode(data, (address, uint256));
    transfer(recipient, amount);
}