Skip to content
Last updated: February 06, 2026

SCWE-143: Critical Address Parameters Not Validated for Zero Address

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

Description

Critical address parameters (owner, oracle, fee recipient, token address) that are not validated for address(0) can brick the contract or cause funds to be sent to the burn address. Assigning address(0) as owner prevents any owner-only actions; using it as a recipient loses funds permanently. SCWE-091 covers zero value in token transfers; this weakness addresses zero address.

Remediation

  • Validate require(addr != address(0), "Zero address") for all critical address parameters in constructors and setters.
  • Use custom errors for gas efficiency where appropriate.

Examples

Vulnerable

pragma solidity ^0.8.0;

contract Vault {
    address public owner;
    address public feeRecipient;

    constructor(address _owner, address _feeRecipient) {
        owner = _owner;           // No check: address(0) bricks contract
        feeRecipient = _feeRecipient;  // No check: fees sent to burn address
    }

    function collectFees() external {
        uint256 fees = address(this).balance;
        (bool ok, ) = feeRecipient.call{value: fees}("");
        require(ok, "Transfer failed");
    }
}

Fixed

constructor(address _owner, address _feeRecipient) {
    require(_owner != address(0), "Invalid owner");
    require(_feeRecipient != address(0), "Invalid fee recipient");
    owner = _owner;
    feeRecipient = _feeRecipient;
}