Conflux Fixes CREATE2 Opcode Bug with v2.5 Security Upgrade

Conflux Network has successfully addressed a critical vulnerability in the CREATE2 opcode, which was discovered in February 2025 with the help of GraFun, an ecosystem security team. The vulnerability was patched with the network’s version 2.5 upgrade, which went live on March 17, 2025.

The CREATE2 opcode is an advanced feature introduced in Ethereum’s 2019 Constantinople upgrade and is used in Ethereum and Ethereum Virtual Machine (EVM)-compatible networks. This opcode plays a significant role in enhancing the deployment predictability and flexibility of smart contracts. However, the bug that was discovered in Conflux’s implementation allowed the redeployment of contracts at an address where one already existed, effectively resetting the contract state to its initial deployment state. In contrast, the standard EVM implementation of CREATE2 prevents contract deployment at addresses with an existing contract, returning a null address.

This flaw had the potential to impact major projects such as Gnosis Safe, but with the successful patching of the issue via the v2.5 upgrade, the security team assured that the vulnerability is now resolved. The network’s latest upgrade not only addresses the security issue but also enhances its EVM compatibility.

The Conflux team had announced the planned network upgrade on March 4, 2025, and requested node operators to update accordingly. The hard fork was executed at epoch 118580000, successfully resolving the issue.

GraFun, which identified the bug, was rewarded with 60,000 Conflux tokens, including a 50,000 token bounty for discovering the vulnerability and an additional 10,000 tokens for providing a timely report that helped avert potential exploits.

With the security flaw fixed, Conflux emphasized that all user funds are secure, and the network’s compatibility with EVM has been strengthened.