CREATE2 Opcode bug fixed with v2.5 security upgrade

Conflux says its security team has successfully patched the CREATE2 Opcode vulnerability with version 2.5 network upgrade.

The Conflux (CFX) Network announced on March 24, 2025 that a security vulnerability detected with the help of ecosystem team GraFun, has been successfully patched. GraFun reportedly identified the critical vulnerability in the CREATE2 opcode, related to the Ethereum (ETH) Virtual Machine, in February this year. 

CREATE2 opcode, introduced in 2019 via Ethereum’s Constantinople upgrade, is an advanced feature for Ethereum and Ethereum Virtual Machine-compatible networks. It plays a key role in smart contracts, particularly in deployment predictability and flexibility. The Conflux team elaborated on this:

“In the standard Ethereum Virtual Machine, the CREATE2 opcode fails to deploy a contract if the target address already has a deployed contract, returning a null address. However, the previous implementation of Conflux allowed CREATE2 to redeploy contracts at an address with an existing contract, resetting the contract state to its initial deployment state.”

According to Conflux, the security issue is now resolved following Conflux’s version 2.5 upgrade that shipped on March 17, 2025. The flaw, the layer-1 platform noted, “allowed contract redeployment on existing addresses, impacting Gnosis Safe.”

The Conflux Network security team has assured users and ecosystem partners that the version 2.5 upgrade has fully addressed the flaw.

Conflux disclosed plans for the network upgrade on March 4, 2025, with node operators asked to update accordingly. The platform tentatively scheduled the hard fork for mid-March, with this happening at epoch 118580000.

GraFun received a total of 60,000 Conflux tokens for its role in the security upgrade, including a base bounty of 50,000 tokens for identifying the CREATE2 opcode bug. The platform also received 10,000 tokens for offering a timely report that helped prevent potential exploits and losses.

In its announcement, Conflux said all user funds are safe and that the network has EVM compatibility enhanced.