Last updated: February 06, 2026

SCWE-038: Insecure Use of Selfdestruct

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-732: Incorrect Permission Assignment for Critical Resource
  CWE-732 Link

Description

Insecure use of selfdestruct refers to vulnerabilities that arise when the selfdestruct function is used without proper safeguards. This can lead to: - Unauthorized destruction of the contract. - Loss of funds or data. - Exploitation of vulnerabilities in contract logic.

Remediation

• Restrict access: Ensure only authorized addresses can call selfdestruct. Note: selfdestruct is deprecated per EIP-6049 (Solidity 0.8.24+); prefer migration patterns where possible.
• Implement circuit breakers: Add mechanisms to halt operations in case of suspicious activity.
• Test thoroughly: Conduct extensive testing to ensure selfdestruct is used securely.

Examples

• Insecure Selfdestruct Usage

  pragma solidity ^0.8.0;
  
  contract InsecureSelfdestruct {
      function destroy() public {
          selfdestruct(payable(msg.sender)); // No access control
      }
  }
  

• Secure Selfdestruct Usage

  pragma solidity ^0.8.0;
  
  contract SecureSelfdestruct {
      address public admin;
  
      constructor(address _admin) {
          admin = _admin;
      }
  
      modifier onlyAdmin() {
          require(msg.sender == admin, "Unauthorized");
          _;
      }
  
      function destroy() public onlyAdmin {
          selfdestruct(payable(admin)); // Restricted to admin
      }
  }
  

---