Free Developer Tool

Solidity Function Selector Workbench

Paste a Solidity signature, selector, custom error, or calldata blob and get the ABI routing bytes without digging through documentation.

Function selector
0xa9059cbb

transfer(address,uint256)

Calculation trace
  1. Canonical signature
  2. keccak256 hash
  3. first 4 bytes
0xa9059cbb2ab09eb2...
selector a9059cbb
arguments address recipient, uint256 amount
Examples:
Keccak256 Hash
Selector (4 bytes)
Canonical Signature
Want to learn how to hack and break smart contracts? Start the free trial and practice real exploit patterns in guided SCH labs.
Start Free Trial

Calldata Anatomy

How the EVM reads function calls

Function Selector 4 bytes a9059cbb
Argument 1 32 bytes (padded) 0000...recipient
Argument 2 32 bytes (padded) 0000...amount
bytes[0:4]: keccak256 of signature, first 4 bytes
bytes[4:36]: ABI-encoded first parameter
bytes[36:68]: ABI-encoded second parameter

Example: transfer(address,uint256) call to send 100 tokens to an address.

Function selectors, without the wall of text

Function 4 bytes

Placed at the start of calldata so the dispatcher knows which function to run.

Event 32 bytes

Stored as topic[0], using the full hash for log filtering.

Error 4 bytes

Custom revert data starts with the error selector, just like calldata.

When you call a function on an Ethereum smart contract, the EVM doesn't use the function name directly. Instead, each function is identified by its selector, a compact 4-byte identifier derived from the function's signature. This selector is the first 4 bytes of the keccak256 hash of the function's canonical signature.

For example, calling transfer(address,uint256) on an ERC-20 token doesn't send the string "transfer" on-chain. It sends 0xa9059cbb followed by ABI-encoded arguments. The contract's dispatcher matches this 4-byte prefix to the correct function's code.

How Function Selectors Are Computed

The computation follows three steps:

  1. Canonicalize the signature. Write the function name followed by its parameter types in parentheses, with no spaces and no parameter names: transfer(address,uint256)
  2. Hash with keccak256. Compute the keccak256 hash of the UTF-8 encoded signature string, producing 32 bytes.
  3. Take the first 4 bytes. The function selector is bytes4(keccak256("transfer(address,uint256)")), which equals 0xa9059cbb.

Functions vs Events vs Errors

Functions use a 4-byte selector placed at the beginning of transaction calldata. The EVM's dispatcher uses this to route the call.

Events use the full 32-byte keccak256 hash as topic[0] in the transaction log. The full hash is needed because logs are indexed for efficient filtering, and 4 bytes would cause too many collisions across all contracts.

Custom Errors (introduced in Solidity 0.8.4) use a 4-byte selector just like functions. When a contract reverts with a custom error, the revert data starts with the error's 4-byte selector instead of the generic Error(string) selector.

4byte Lookup and Error Selectors

If you see a value like 0xef28f901 in revert data, calldata, a trace, or an explorer, treat it as a selector first. Paste it into the decode tab to check local known matches, then compare against 4byte.directory or Openchain when the selector is not in the local database.

For a custom error, compute the selector from the canonical error signature, such as NotOwner(address). For collision-sensitive systems, review the selector against proxy, router, diamond, and fallback dispatch code so a selector collision cannot route a call to the wrong logic.

Security Alert: Selector Collisions

Since selectors are only 4 bytes, collisions are mathematically inevitable. Different function signatures can produce identical selectors.

In transparent proxy patterns, if a proxy function's selector collides with an implementation function's selector, the proxy intercepts the call. Attackers have exploited this to bypass access controls and call unintended logic.

Selector clashing is also used in calldata-based phishing, where malicious contracts disguise function calls to deceive users and wallets.

Learn About Call Attacks

Common Function Selectors Reference

Most frequently used selectors in Ethereum smart contracts

Selector Function Standard Action
0xa9059cbb transfer(address,uint256) ERC-20
0x095ea7b3 approve(address,uint256) ERC-20
0x23b872dd transferFrom(address,address,uint256) ERC-20
0x70a08231 balanceOf(address) ERC-20
0xdd62ed3e allowance(address,address) ERC-20
0x18160ddd totalSupply() ERC-20
0x6352211e ownerOf(uint256) ERC-721
0x42842e0e safeTransferFrom(address,address,uint256) ERC-721
0xc87b56dd tokenURI(uint256) ERC-721

Frequently Asked Questions

Master Smart Contract Security

Learn how selector collisions, calldata manipulation, and low-level call vulnerabilities lead to real-world exploits. Our comprehensive course teaches you to identify and prevent these attacks.