diff --git a/lib/utils/bech32.js b/lib/utils/bech32.js
index 4f536009..3ba29c92 100644
--- a/lib/utils/bech32.js
+++ b/lib/utils/bech32.js
@@ -260,7 +260,16 @@ function convert(data, output, frombits, tobits, pad, off) {
 
 function encode(hrp, version, hash) {
   var output = POOL65;
-  var data = convert(hash, output, 8, 5, version, 0);
+  var data;
+
+  if (version < 0 || version > 16)
+    throw new Error('Invalid bech32 version.');
+
+  if (hash.length < 2 || hash.length > 40)
+    throw new Error('Invalid bech32 data length.');
+
+  data = convert(hash, output, 8, 5, version, 0);
+
   return serialize(hrp, data);
 }
 
@@ -279,13 +288,19 @@ function decode(str) {
   var data = result.data;
   var version, hash, output;
 
-  if (data.length < 1)
+  if (data.length === 0 || data.length > 65)
     throw new Error('Invalid bech32 data length.');
 
+  if (data[0] > 16)
+    throw new Error('Invalid bech32 version.');
+
   version = data[0];
   output = data;
   hash = convert(data, output, 5, 8, -1, 1);
 
+  if (hash.length < 2 || hash.length > 40)
+    throw new Error('Invalid bech32 data length.');
+
   return new AddrResult(hrp, version, hash);
 }