diff --git a/proxy/shadowsocks/protocol.go b/proxy/shadowsocks/protocol.go
index 328639bb..d85fabfc 100644
--- a/proxy/shadowsocks/protocol.go
+++ b/proxy/shadowsocks/protocol.go
@@ -268,6 +268,9 @@ func DecodeUDPPacket(users []*protocol.MemoryUser, payload *buf.Buffer) (*protoc
 
 	if len(users) > 1 {
 		bs := payload.Bytes()
+		if len(bs) <= 32 {
+			return nil, nil, newError("len(bs) <= 32")
+		}
 
 		var aeadCipher *AEADCipher
 		var ivLen int32
diff --git a/proxy/shadowsocks/protocol_test.go b/proxy/shadowsocks/protocol_test.go
index 9b90f7c2..59d863f3 100644
--- a/proxy/shadowsocks/protocol_test.go
+++ b/proxy/shadowsocks/protocol_test.go
@@ -28,7 +28,7 @@ func TestUDPEncoding(t *testing.T) {
 			Email: "love@example.com",
 			Account: toAccount(&Account{
 				Password:   "shadowsocks-password",
-				CipherType: CipherType_AES_128_CFB,
+				CipherType: CipherType_AES_128_GCM,
 			}),
 		},
 	}
@@ -65,7 +65,7 @@ func TestTCPRequest(t *testing.T) {
 					Email: "love@example.com",
 					Account: toAccount(&Account{
 						Password:   "tcp-password",
-						CipherType: CipherType_CHACHA20,
+						CipherType: CipherType_CHACHA20_POLY1305,
 					}),
 				},
 			},
@@ -81,7 +81,7 @@ func TestTCPRequest(t *testing.T) {
 					Email: "love@example.com",
 					Account: toAccount(&Account{
 						Password:   "password",
-						CipherType: CipherType_AES_256_CFB,
+						CipherType: CipherType_AES_256_GCM,
 					}),
 				},
 			},
@@ -97,7 +97,7 @@ func TestTCPRequest(t *testing.T) {
 					Email: "love@example.com",
 					Account: toAccount(&Account{
 						Password:   "password",
-						CipherType: CipherType_CHACHA20_IETF,
+						CipherType: CipherType_AES_128_GCM,
 					}),
 				},
 			},
@@ -139,7 +139,7 @@ func TestUDPReaderWriter(t *testing.T) {
 	user := &protocol.MemoryUser{
 		Account: toAccount(&Account{
 			Password:   "test-password",
-			CipherType: CipherType_CHACHA20_IETF,
+			CipherType: CipherType_CHACHA20_POLY1305,
 		}),
 	}
 	cache := buf.New()
diff --git a/testing/scenarios/shadowsocks_test.go b/testing/scenarios/shadowsocks_test.go
index de842afc..562343ac 100644
--- a/testing/scenarios/shadowsocks_test.go
+++ b/testing/scenarios/shadowsocks_test.go
@@ -52,10 +52,10 @@ func TestShadowsocksAES256TCP(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_TCP},
 				}),
 			},
@@ -150,10 +150,10 @@ func TestShadowsocksAES128UDP(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_UDP},
 				}),
 			},
@@ -276,10 +276,10 @@ func TestShadowsocksChacha20TCP(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_TCP},
 				}),
 			},
@@ -369,10 +369,10 @@ func TestShadowsocksChacha20Poly1305TCP(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_TCP},
 				}),
 			},
@@ -461,10 +461,10 @@ func TestShadowsocksAES256GCMTCP(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_TCP},
 				}),
 			},
@@ -560,10 +560,10 @@ func TestShadowsocksAES128GCMUDP(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_UDP},
 				}),
 			},
@@ -658,10 +658,10 @@ func TestShadowsocksAES128GCMUDPMux(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_TCP},
 				}),
 			},
@@ -757,10 +757,10 @@ func TestShadowsocksNone(t *testing.T) {
 					Listen:    net.NewIPOrDomain(net.LocalHostIP),
 				}),
 				ProxySettings: serial.ToTypedMessage(&shadowsocks.ServerConfig{
-					User: &protocol.User{
+					Users: []*protocol.User{{
 						Account: account,
 						Level:   1,
-					},
+					}},
 					Network: []net.Network{net.Network_TCP},
 				}),
 			},