Revisiting this thread as we start preparing the next major version of OpenZeppelin Contracts.
My thoughts on this have changed. I now believe that address != 0 checks do make sense and provide value. The reason is that address 0 is a clearly distinct address that can show up in at least two scenarios:
- Read from an uninitialized address value in storage or memory.
- Returned from
ecrecover
applied to an invalid signature.
Rejecting address 0 in interfaces as an invalid account provides a layer of protection against accidentally using these values.
The Nomad hack for example involved the use of address 0 which accidentally had a role assigned.