EVM

Calldata

Calldata is the read-only input data sent to a contract call, usually containing the function selector and ABI-encoded arguments.

Calldata is the raw instruction payload a caller sends to a contract.

Calldata Explained in Detail

Calldata is the read-only byte array supplied to a contract call. For ordinary external function calls, it starts with a 4-byte function selector, followed by ABI-encoded arguments.

Solidity exposes the full payload as msg.data. It also lets external function parameters use the calldata data location, which avoids copying dynamic inputs into memory when they only need to be read.

Smart contract example

The low-level call below forwards arbitrary calldata to target:

function execute(address target, bytes calldata data) external onlyOwner {
    (bool ok,) = target.call(data);
    require(ok, "call failed");
}

That pattern can be valid for an admin executor, but data is still a complete user-controlled instruction payload.

Calldata in Auditing

Calldata is where many trust boundaries begin. It may contain amounts, addresses, signatures, selectors, encoded multicall steps, or proof data.

For public transactions, calldata may be visible before inclusion, and after inclusion it is visible on-chain. Do not place secrets in calldata and expect them to stay hidden from front-running, MEV searchers, or block builders.

Red flags in code

  • Arbitrary calldata forwarded to privileged or user-chosen targets.

  • Manual calldata parsing in assembly without strict length checks.

  • Multicall logic that lets one call reuse state or permissions from another call.

  • Signature hashes built from ambiguous calldata or abi.encodePacked inputs.

  • Secret values, unrevealed commit salts, or strategy parameters sent before the protocol is ready for them to be public.

How to test or review it

  • Decode calldata for sensitive flows and identify every user-controlled field.

  • Fuzz malformed lengths, empty payloads, extra trailing bytes, and unexpected selectors.

  • Check whether forwarded calldata can call functions outside the intended allowlist.

  • Review msg.data usage in proxies, fallback functions, and meta-transaction code.

  • Treat calldata secrecy assumptions as invalid unless the protocol uses a commit-reveal or private execution design.

Sources