Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/unbounded-return-data

Name: unbounded-return-data
Author: apegurus

skills/vulnerability-patterns/unbounded-return-data/SKILL.md

- Contract makes a low-level `.call()` to an untrusted or user-specified address

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus unbounded-return-data

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:31 AM137.2s1 file scanned

SKILL.md

name:: unbounded-return-data
description:: Return-data handling path that warrants bounded-copy checks
pattern_category:: dos
- regex:: returndatasize
severity:: Medium
confidence:: Medium
swc:: SWC-110

Unbounded Return Data

Preconditions

Contract makes a low-level .call() to an untrusted or user-specified address
Solidity's automatic return data copying is used (default behavior up to at least v0.8.26)
No assembly-level restriction on returndatacopy size
The function is on a critical path where revert would lock funds (withdrawals, undelegation)

Vulnerable Pattern

function unstake(address callback) external {
    uint256 amount = stakes[msg.sender];
    stakes[msg.sender] = 0;

    // Solidity automatically copies ALL return data into memory
    // Attacker's callback contract returns megabytes of data
    // Memory expansion cost grows quadratically — causes out-of-gas
    (bool success,) = callback.call(
        abi.encodeWithSignature("onUnstake(uint256)", amount)
    );
    // Even with limited gas stipend, the return data copy
    // happens in the CALLER's gas context
    require(success, "callback failed");
}

Detection Heuristics

Search for .call(, .delegatecall(, .staticcall( to addresses that could be attacker-controlled
Check if the return data is handled by Solidity's default (captured as bytes memory or discarded but still copied)
If the call target is untrusted and no assembly-level return data size limit is used, flag it
Check if the function is on a critical path — can a revert here lock user funds?
Look for callback patterns (delegation hooks, unstaking callbacks, flash loan callbacks) where the callee is attacker-controlled

False Positives

The call target is a trusted, known contract (not user-controlled)
Assembly is used to limit returndatacopy to a bounded size (e.g., max 32 bytes)
ExcessivelySafeCall or similar library is used for bounded return data
The function doesn't revert on call failure (uses try/catch or ignores success)

Remediation

Use assembly to limit return data size instead of Solidity's automatic copy
Use Nomad's ExcessivelySafeCall library for calls to untrusted addresses
Bound returndatacopy to only the bytes you need (typically 0 or 32)

// Assembly-bounded return data copy
function safeCall(address target, bytes memory data) internal returns (bool success) {
    assembly {
        success := call(gas(), target, 0, add(data, 0x20), mload(data), 0, 0)
        // Only copy up to 32 bytes of return data
        let rdsize := returndatasize()
        if gt(rdsize, 0) {
            if gt(rdsize, 32) { rdsize := 32 }
            returndatacopy(0, 0, rdsize)
        }
    }
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/unbounded-return-data ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

apegurus/unbounded-return-data

skills/vulnerability-patterns/unbounded-return-data/SKILL.md

- Contract makes a low-level `.call()` to an untrusted or user-specified address

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus unbounded-return-data

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:31 AM137.2s1 file scanned

SKILL.md

name:: unbounded-return-data
description:: Return-data handling path that warrants bounded-copy checks
pattern_category:: dos
- regex:: returndatasize
severity:: Medium
confidence:: Medium
swc:: SWC-110

Unbounded Return Data

Preconditions

Contract makes a low-level .call() to an untrusted or user-specified address
Solidity's automatic return data copying is used (default behavior up to at least v0.8.26)
No assembly-level restriction on returndatacopy size
The function is on a critical path where revert would lock funds (withdrawals, undelegation)

Vulnerable Pattern

function unstake(address callback) external {
    uint256 amount = stakes[msg.sender];
    stakes[msg.sender] = 0;

    // Solidity automatically copies ALL return data into memory
    // Attacker's callback contract returns megabytes of data
    // Memory expansion cost grows quadratically — causes out-of-gas
    (bool success,) = callback.call(
        abi.encodeWithSignature("onUnstake(uint256)", amount)
    );
    // Even with limited gas stipend, the return data copy
    // happens in the CALLER's gas context
    require(success, "callback failed");
}

Detection Heuristics

Search for .call(, .delegatecall(, .staticcall( to addresses that could be attacker-controlled
Check if the return data is handled by Solidity's default (captured as bytes memory or discarded but still copied)
If the call target is untrusted and no assembly-level return data size limit is used, flag it
Check if the function is on a critical path — can a revert here lock user funds?
Look for callback patterns (delegation hooks, unstaking callbacks, flash loan callbacks) where the callee is attacker-controlled

False Positives

The call target is a trusted, known contract (not user-controlled)
Assembly is used to limit returndatacopy to a bounded size (e.g., max 32 bytes)
ExcessivelySafeCall or similar library is used for bounded return data
The function doesn't revert on call failure (uses try/catch or ignores success)

Remediation

Use assembly to limit return data size instead of Solidity's automatic copy
Use Nomad's ExcessivelySafeCall library for calls to untrusted addresses
Bound returndatacopy to only the bytes you need (typically 0 or 32)

// Assembly-bounded return data copy
function safeCall(address target, bytes memory data) internal returns (bool success) {
    assembly {
        success := call(gas(), target, 0, add(data, 0x20), mload(data), 0, 0)
        // Only copy up to 32 bytes of return data
        let rdsize := returndatasize()
        if gt(rdsize, 0) {
            if gt(rdsize, 32) { rdsize := 32 }
            returndatacopy(0, 0, rdsize)
        }
    }
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/unbounded-return-data ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT