Skip to main content

Misuse Of Create2 Opcode

What it detects

CREATE2 allows deploying a contract at a predictable address, but misuse can lead to collisions, replay attacks across chains, or creation of contracts that later change logic. The detector spots questionable deployment patterns using create2.

Typical symptoms

  • Salt derived from user input without checks
  • Deployment bytecode may be replaceable or unsafe

Solidity snippet (v0.8.25)

pragma solidity ^0.8.25;

contract Factory {
    function deploy(bytes32 salt, bytes memory code) external {
        // Caller controls both salt and code
        address addr;
        assembly {
            addr := create2(0, add(code, 32), mload(code), salt)
        }
        require(addr != address(0), "fail");
    }
}

Why it matters on EVM

Improper CREATE2 use lets attackers precompute addresses, deploy malicious code later, or interfere with deterministic deployments.