top of page

What is CREATE2 Address Collision?

  • 2 days ago
  • 5 min read

When deploying smart contracts on Ethereum, the CREATE2 opcode allows developers to predict contract addresses before deployment. However, this feature introduces the risk of CREATE2 address collision, where two different contracts might share the same address. Understanding this risk is crucial for secure contract deployment and avoiding unexpected overwrites.

This article explains what CREATE2 address collision is, how it occurs, and its implications for Ethereum developers. You will learn how CREATE2 calculates addresses, why collisions can happen, and best practices to prevent them.

What is the CREATE2 opcode in Ethereum?

CREATE2 is an Ethereum Virtual Machine opcode introduced in the Constantinople upgrade. It enables deploying contracts at deterministic addresses based on the deployer's address, a salt value, and the contract's initialization code hash.

This deterministic nature allows developers to know a contract's address before deployment, enabling advanced use cases like counterfactual contracts and meta-transactions.

  • Deterministic deployment: CREATE2 calculates the contract address using a hash of the deployer, salt, and init code, allowing pre-computation of the address before deployment.

  • Salt parameter: The salt is a user-defined 32-byte value that influences the resulting address, providing flexibility in address generation.

  • Init code hash: The hash of the contract's initialization bytecode ensures the address depends on the exact contract code being deployed.

  • Use cases: CREATE2 supports upgradeable proxies, counterfactual contracts, and gas-efficient contract deployment strategies.


Understanding CREATE2's mechanism is essential to grasp why address collisions can occur and how to avoid them.

How does CREATE2 calculate contract addresses?

CREATE2 computes the contract address using a specific formula that combines the deployer's address, a salt, and the hash of the contract's initialization code. This formula ensures the address is deterministic and unique to these inputs.

The formula is:

address = keccak256(0xff ++ deployer_address ++ salt ++ keccak256(init_code))[12:]

  • 0xff prefix: A constant byte to prevent collisions with other address derivation methods.

  • Deployer address: The Ethereum address deploying the contract, anchoring the address to the deployer.

  • Salt: A 32-byte user-chosen value that can vary to produce different addresses.

  • Init code hash: The keccak256 hash of the contract's initialization bytecode, tying the address to the contract's code.


This method ensures that changing any input changes the resulting address, but collisions can still occur if inputs are reused or manipulated.

What causes CREATE2 address collisions?

CREATE2 address collisions happen when two different contract deployments produce the same address. This can occur if the deployer uses the same salt and init code hash twice or if different inputs hash to the same address by chance.

Although the probability of random collisions is extremely low due to the cryptographic hash, practical collisions arise from poor salt management or reusing init code.

  • Salt reuse: Using the same salt value with the same deployer and init code results in the same address, causing collisions if redeployed.

  • Init code duplication: Deploying identical contracts with the same salt leads to the same address, risking overwriting existing contracts.

  • Intentional collisions: Malicious actors might craft inputs to collide with existing addresses, potentially hijacking contract logic.

  • Limited entropy: Poorly chosen salts with low randomness increase collision risks, especially in automated deployments.


Address collisions can cause contract overwrites, loss of funds, or unexpected behavior in decentralized applications.

Why is CREATE2 address collision a security risk?

Address collisions undermine the trust and security of smart contracts by allowing new contracts to replace or interfere with existing ones at the same address. This can lead to loss of funds, broken logic, or compromised user interactions.

Since many dApps rely on fixed contract addresses, collisions can disrupt their functionality and user trust.

  • Contract replacement: A new contract deployed at a collided address can override the original contract's logic, causing unexpected behavior.

  • Fund loss risk: Users sending tokens to a known contract address may lose funds if the contract logic changes due to collision.

  • Security exploits: Attackers can exploit collisions to impersonate contracts or intercept transactions.

  • Trust erosion: Collisions damage user confidence in contract immutability and blockchain reliability.


Understanding these risks helps developers implement safeguards to maintain contract integrity.

How can developers prevent CREATE2 address collisions?

Developers can minimize collision risks by carefully managing salts, contract code, and deployment strategies. Best practices include using unique salts, verifying address availability, and employing deployment frameworks.

These measures ensure that each contract address remains unique and secure.

  • Unique salts: Always use fresh, random salts for each deployment to avoid address reuse and collisions.

  • Code versioning: Change the contract's init code hash when updating contracts to generate new addresses.

  • Address checks: Verify that the target address is unused before deploying to prevent overwriting existing contracts.

  • Deployment tools: Use frameworks like Hardhat or Truffle that support CREATE2 and automate collision prevention.


Following these guidelines helps maintain security and predictability in contract deployments using CREATE2.

What are real-world examples of CREATE2 address collisions?

While rare, some projects have encountered CREATE2 address collisions due to salt reuse or deployment errors. These incidents highlight the importance of collision awareness.

Studying these examples provides valuable lessons for developers using CREATE2.

  • Counterfactual wallets: Some wallet implementations reused salts causing address collisions that prevented new wallet deployments.

  • Upgradeable proxies: Incorrect salt management led to proxy contracts overwriting previous versions at the same address.

  • Malicious attacks: Attackers exploited predictable salts to deploy malicious contracts at expected addresses.

  • Deployment failures: Projects experienced failed deployments due to collisions, requiring manual intervention and redeployment.


These cases emphasize the need for careful CREATE2 deployment planning and collision mitigation.

How does CREATE2 compare to CREATE regarding address collisions?

CREATE is the original Ethereum opcode for contract deployment, which generates addresses based on the deployer's nonce. CREATE2, by contrast, uses a deterministic formula involving salt and init code hash.

This difference affects collision risks and deployment predictability.

Feature

CREATE

CREATE2

Address calculation

Based on deployer's nonce (incremental)

Based on deployer, salt, and init code hash

Address predictability

Depends on nonce, less predictable

Deterministic, predictable before deployment

Collision risk

Low, nonce increments prevent reuse

Higher if salt or code reused improperly

Use cases

Standard deployments

Counterfactual contracts, upgradeability

While CREATE generally avoids collisions through nonce increments, CREATE2 requires careful input management to prevent address collisions.

Conclusion

CREATE2 address collision occurs when two different contracts deploy to the same Ethereum address due to reused salts or identical init code hashes. This risk can lead to contract overwrites, security vulnerabilities, and loss of user trust.

Understanding CREATE2's deterministic address calculation helps developers prevent collisions by using unique salts, verifying addresses, and managing contract code versions. Careful deployment practices ensure secure and predictable contract addresses, maintaining the integrity of Ethereum dApps.

FAQs

What is the main difference between CREATE and CREATE2?

CREATE uses the deployer's nonce to generate contract addresses, making them sequential and less predictable. CREATE2 uses a salt and init code hash for deterministic, precomputable addresses.

Can two different contracts have the same CREATE2 address?

Yes, if they use the same deployer address, salt, and init code hash, they will have the same CREATE2 address, causing a collision.

How can I check if a CREATE2 address is already used?

You can query the Ethereum blockchain for code at the computed address; if code exists, the address is already in use.

Is CREATE2 address collision common in practice?

Collisions are rare but can happen due to poor salt management or code reuse, so developers must take precautions.

Does CREATE2 improve contract deployment security?

CREATE2 improves predictability but requires careful input handling to avoid collisions, which can pose security risks if neglected.

Recent Posts

See All
What is a False Negative Test?

Learn what a false negative test means, why it happens, and how it impacts medical and diagnostic testing accuracy.

 
 
 
What is Map Iteration Bug?

Learn what the Map Iteration Bug is, why it happens, and how to avoid it in blockchain smart contracts and programming.

 
 
 

Comments

bottom of page