Conflux has announced that its security team has effectively resolved the CREATE2 Opcode vulnerability with the release of the version 2.5 network upgrade.
On March 24, 2025, the Conflux (CFX) Network revealed that a security flaw was successfully addressed with assistance from the ecosystem team GraFun. GraFun reportedly discovered this critical vulnerability in the CREATE2 opcode, which relates to the Ethereum (ETH) Virtual Machine, earlier in February.
The CREATE2 opcode, which was introduced in 2019 during Ethereum’s Constantinople upgrade, is a sophisticated feature for Ethereum and EVM-compatible networks. It is essential for smart contracts, particularly regarding deployment predictability and flexibility. The Conflux team elaborated on its functionality:
“In the standard Ethereum Virtual Machine, the CREATE2 opcode fails to deploy a contract if the target address already has a contract deployed, resulting in a null address. However, the prior implementation on Conflux permitted the redeployment of contracts at an address that already had a contract, resetting the contract’s state to its original deployment state.”
Conflux reported that the security concern has been resolved following the version 2.5 upgrade that was launched on March 17, 2025. The layer-1 platform noted that this flaw “enabled contract redeployment on existing addresses, affecting Gnosis Safe.”
The security team from Conflux has reassured users and ecosystem partners that the version 2.5 upgrade has completely rectified the issue.
Plans for the network upgrade were announced on March 4, 2025, with node operators instructed to update their systems. The hard fork was tentatively scheduled for mid-March, specifically occurring at epoch 118580000.
GraFun was rewarded with 60,000 Conflux tokens for its contributions to the security upgrade, including a foundational bounty of 50,000 tokens for uncovering the CREATE2 opcode issue. Additionally, they received 10,000 tokens for their prompt reporting that helped avert potential exploits and losses.
In its announcement, Conflux emphasized that all user funds remain secure and that enhancements to EVM compatibility have been made across the network.