Good news. Did a bit of investigation, it seems like this could be vulnerable to a length extension attack [1] (though the attack its still pretty useless in this particular case) but it appears that truncating is both safe and takes care of length extension attacks! [2]

[1]: https://en.wikipedia.org/wiki/Length_extension_attack

[2]: https://crypto.stackexchange.com/questions/18606/is-xoring-a...