Last updated: February 06, 2026

SCWE-009: Deprecated Variable and Function Usage

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships¶

CWE-477: Use of Obsolete Function https://cwe.mitre.org/data/definitions/477.html

Description¶

The use of deprecated variables and functions refers to employing code elements that are no longer recommended for use, either due to obsolescence, security concerns, or the introduction of better alternatives. Using such elements can cause issues, including reduced compatibility, poor maintainability, and security vulnerabilities. Specific concerns related to deprecated usage are:

Security risks: Deprecated functions may have known vulnerabilities or might not be patched.
Compatibility issues: Newer compiler versions and environments may not support deprecated code.
Maintenance difficulties: Continuing to use deprecated code increases the complexity of codebase management and prevents clean upgrades.

Remediation¶

Replace deprecated functions: Always use the recommended and supported alternatives in the latest compiler versions.
Update dependencies: If relying on libraries that use deprecated elements, upgrade to versions that support current standards.
Monitor for deprecation warnings: Stay informed about deprecated functions in the Solidity language or external libraries and refactor the code when necessary.

Examples¶

Contract with Deprecated Function Usage¶

pragma solidity ^0.4.0;

contract DeprecatedUsage {
    address public owner;
    uint public balance;

    // Deprecated function, example using older Solidity versions
    function sendTransaction(address recipient, uint amount) public {
        recipient.transfer(amount);
    }
}

In this example, the transfer function in Solidity's older versions is deprecated. Continuing to use such functions can cause issues with future compiler versions.

Improved Contract without Deprecated Usage¶

pragma solidity ^0.8.0;

contract UpdatedUsage {
    address public owner;
    uint public balance;

    // Replaced with call{value} — avoids 2300 gas limit of transfer/send
    function sendTransaction(address recipient, uint amount) public {
        (bool success, ) = payable(recipient).call{value: amount}("");
        require(success, "Transfer failed");
    }
}

In this improved example, the contract uses call{value} instead of deprecated transfer/send, avoiding the 2300 gas limit that can cause DoS when the recipient is a contract (see SCWE-079).