Conflux Network Patches CREATE2 Opcode Vulnerability

Conflux (CFX) Network announced on March 24, 2025, that its security team successfully addressed a vulnerability related to the CREATE2 opcode with the version 2.5 network upgrade.

Background

The vulnerability was detected with assistance from the ecosystem team GraFun, which identified the issue in February 2025. The CREATE2 opcode, introduced in Ethereum’s 2019 Constantinople upgrade, is crucial for smart contract deployment and flexibility within EVM-compatible networks.

The Conflux team explained:
> “In the standard Ethereum Virtual Machine, the CREATE2 opcode fails to deploy a contract if the target address already has a deployed contract, returning a null address. However, the previous implementation of Conflux allowed CREATE2 to redeploy contracts at an address with an existing contract, resetting the contract state to its initial deployment state.”

Resolution

On March 17, 2025, the version 2.5 upgrade was released, resolving the flaw that allowed contract redeployment at existing addresses, which had impacts on Gnosis Safe. Conflux’s security team has confirmed that the vulnerability is fully addressed and assured users that all funds are safe while enhancing EVM compatibility.

Reward for GraFun

GraFun was rewarded with 60,000 Conflux tokens for its contribution to the security upgrade, which included a base bounty of 50,000 tokens for pointing out the CREATE2 opcode bug and an additional 10,000 tokens for a timely report that helped mitigate risks and potential losses.

Conclusion

Conflux disclosed plans for this network upgrade on March 4, 2025, urging node operators to update accordingly, with the upgrade occurring at epoch 118580000.