CREATE2 Collision
Detects CREATE2 deployments where salt values can be predicted or brute-forced, enabling address collision attacks.
CREATE2 Collision
Overview
The CREATE2 collision detector identifies contracts that use CREATE2 with predictable salt values. CREATE2 deploys contracts to a deterministic address computed as keccak256(0xff, sender, salt, initCodeHash). If an attacker can control or predict the salt, they can pre-compute the deployment address, deploy a malicious contract to that address first (via selfdestruct + redeploy), or manipulate the init code to deploy different logic to an expected address.
Why This Is an Issue
Protocols that rely on CREATE2 addresses for trust (e.g., counterfactual wallets, Uniswap pair addresses) assume the deployed code matches the expected init code hash. If the salt is user-controlled or the init code includes mutable components, an attacker can deploy different bytecode to the expected address. Contracts that pre-approve or send funds to a CREATE2 address before deployment are especially vulnerable.
How to Resolve
// Before: Vulnerable — user controls salt entirely
function deploy(bytes32 salt, bytes memory code) external returns (address) {
address deployed;
assembly {
deployed := create2(0, add(code, 32), mload(code), salt)
}
return deployed;
}
// After: Fixed — salt includes msg.sender and deployer controls init code
function deploy(bytes32 userSalt) external returns (address) {
bytes32 salt = keccak256(abi.encodePacked(msg.sender, userSalt));
address deployed = address(new KnownContract{salt: salt}());
return deployed;
}Detection Methodology
- CREATE2 identification: Locates CREATE2 opcodes in the bytecode.
- Salt origin tracing: Traces the salt value backward through the data flow to determine if it originates from user input (CALLDATALOAD) or is internally derived.
- Init code analysis: Checks whether the init code is static (hardcoded) or dynamic (user-provided bytecode parameter).
- Access control check: Verifies whether the deploy function is access-controlled (admin-only vs. public).
Limitations
False positives: Factory contracts that intentionally allow user-chosen salts for vanity addresses but do not pre-trust the deployment address are safe but may be flagged. False negatives: CREATE2 used within assembly blocks with complex salt derivation may not have full data-flow tracing.
Related Detectors
- Access Control — detects missing authorization on critical functions
- Storage Collision — detects storage slot conflicts in proxy patterns