Blockchain & Cryptocurrency Glossary

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

  • search-icon Clear Definitions
  • search-icon Practical
  • search-icon Technical
  • search-icon Related Terms

Short Address Attack

1 min read
Pronunciation
[shawrt uh-dres uh-tak]
Analogy
Like forgetting the first digits of a bank account number so your transfer goes to a different account.
Definition
An exploit where a transaction’s recipient address is underspecified—missing leading zeros—causing ABI decoding to misalign parameters and potentially redirect funds.
Key Points Intro
Short address attacks exploit strict ABI encoding rules in Ethereum.
Key Points

Address length: Ethereum addresses must be 20 bytes (40 hex chars)

Parameter shift: missing bytes shift subsequent arguments

Fund diversion: tokens may be sent to unintended recipients

Prevention: clients enforce fixed-length checks and padding

Example
A malicious UI strips leading zeros from a recipient address, causing the transfer function to interpret the wrong destination and send funds to the attacker.
Technical Deep Dive
Ethereum’s ABI encodes each parameter as a 32-byte word. If an address parameter is shorter, subsequent data fills the remaining bytes, altering call data. Library functions now prepend zeros and validate hex string lengths to block malformed inputs.
Security Warning
Always validate and pad addresses before encoding; use audited libraries that enforce ABI compliance.
Caveat
Modern tooling has largely mitigated this risk, but legacy contracts or custom parsers may remain vulnerable.
Related Terms
Ethereum

Short Address Attack - Related Articles

No related articles for this term.