Missing Zero Address Validation
Detects functions that accept address parameters without checking for the zero address, risking permanent fund loss.
Missing Zero Address Validation
Overview
The missing zero address validation detector identifies functions that accept address parameters for critical operations (ownership transfer, token recipient, approval target) without verifying the address is not address(0). Setting an owner, admin, or recipient to the zero address is almost always a mistake that results in permanently locked funds or irrecoverable access control.
Why This Is an Issue
Once ownership is transferred to address(0), no one can call owner-restricted functions — the contract becomes permanently ungovernable. Tokens transferred to address(0) are permanently burned (unless the contract has a recovery mechanism). While some protocols intentionally burn tokens by sending to the zero address, administrative functions should always validate against accidental zero-address assignment.
How to Resolve
// Before: No zero-address check
function transferOwnership(address newOwner) external onlyOwner {
owner = newOwner;
}
// After: Validated
function transferOwnership(address newOwner) external onlyOwner {
require(newOwner != address(0), "Zero address");
owner = newOwner;
}Detection Methodology
- Address parameter identification: Identifies function parameters used as address types (stored to address-sized storage slots or used in CALL targets).
- Zero-check scan: Looks for
ISZEROcomparisons on the parameter value before it is used in a critical operation. - Critical operation classification: Prioritizes ownership transfers, access control updates, and fund transfers over read-only operations.
- Storage write context: Flags address parameters that are written to storage slots associated with admin/owner roles.
Limitations
False positives: Functions that intentionally accept the zero address (e.g., to disable a feature or burn tokens) will be flagged. False negatives: Address parameters validated through complex conditional logic may not be recognized.
Related Detectors
- Access Control — detects missing authorization checks
- Input Validation — detects missing input validation broadly