Conflux: Security Enhancement in v2.5 Resolves CREATE2 Opcode Issue

Conflux has announced that its security team has effectively resolved the CREATE2 Opcode vulnerability with the version 2.5 network upgrade.

On March 24, 2025, the Conflux (CFX) Network disclosed that a security flaw, detected with the assistance of ecosystem team GraFun, has been successfully remediated. GraFun allegedly discovered the critical vulnerability in the CREATE2 opcode, linked to the Ethereum (ETH) Virtual Machine, in February of this year.

The CREATE2 opcode, introduced in 2019 via Ethereum’s Constantinople upgrade, is an advanced feature for Ethereum and Ethereum Virtual Machine-compatible networks. It is essential for smart contracts, especially in terms of deployment predictability and flexibility. The Conflux team explained this in more detail:

"In the standard Ethereum Virtual Machine, the CREATE2 opcode does not deploy a contract if the target address already has a deployed contract, returning a null address. However, the previous implementation of Conflux permitted CREATE2 to redeploy contracts at an address with an existing contract, resetting the contract state to its initial deployment state."

According to Conflux, the security problem has been resolved following Conflux’s version 2.5 upgrade that was released on March 17, 2025. The issue, the layer-1 platform noted, "enabled contract redeployment on existing addresses, affecting Gnosis Safe."

The Conflux Network security team has guaranteed users and ecosystem partners that the version 2.5 upgrade has entirely resolved the issue.

Conflux revealed plans for the network upgrade on March 4, 2025, with node operators being instructed to update accordingly. The platform provisionally scheduled the hard fork for mid-March, with this occurring at epoch 118580000.

GraFun received a total of 60,000 Conflux tokens for its role in the security upgrade, including a base bounty of 50,000 tokens for identifying the CREATE2 opcode bug. The platform also received 10,000 tokens for providing a timely report that helped prevent potential exploits and losses.

In its announcement, Conflux confirmed that all user funds are secure and that the network has enhanced EVM compatibility.