Deprecated Functions
Detects usage of deprecated Solidity functions and constructs that may be removed in future compiler versions.
Deprecated Functions
Overview
The deprecated functions detector identifies usage of Solidity built-in functions and constructs that have been deprecated or removed. Common examples include suicide() (replaced by selfdestruct()), sha3() (replaced by keccak256()), callcode() (replaced by delegatecall()), and throw (replaced by revert()). Using deprecated constructs indicates the contract was written for an older Solidity version and may contain other outdated patterns.
Why This Is an Issue
Deprecated functions may behave differently than their replacements or may be removed entirely in future compiler versions. Contracts using callcode instead of delegatecall have subtly different msg.sender and msg.value semantics. Contracts using throw waste all remaining gas instead of refunding it like revert(). These outdated patterns also signal that the contract may not have been updated for other security improvements introduced in newer Solidity versions.
How to Resolve
| Deprecated | Replacement |
|---|---|
suicide(addr) | selfdestruct(addr) |
sha3(...) | keccak256(...) |
callcode(...) | delegatecall(...) |
throw | revert() or require() |
msg.gas | gasleft() |
block.blockhash(n) | blockhash(n) |
now | block.timestamp |
Detection Methodology
- Opcode pattern matching: Identifies CALLCODE opcodes (deprecated in favor of DELEGATECALL).
- Metadata analysis: Checks the compiler version from bytecode metadata to determine which constructs were available.
- Alias detection: For source-available contracts, matches deprecated function names against the known deprecation list.
Limitations
False positives: Some deprecated constructs (like now) are syntactic sugar that compiles to identical bytecode as the replacement (block.timestamp), making bytecode-level detection impossible. False negatives: Deprecated patterns that compile to the same opcodes as their replacements cannot be distinguished in bytecode.
Related Detectors
- Floating Pragma — detects unpinned compiler versions
- Outdated Compiler — detects old compiler versions