Conflux (CFX) Network Addresses Security Vulnerability in Latest Upgrade

The Conflux (CFX) Network has successfully executed a critical security upgrade, version 2.5, on March 17, 2025, following the discovery of a vulnerability in its Ethereum Virtual Machine (EVM). This vulnerability was initially identified by the GraFun team, according to Conflux Forum.

Background of the Incident

The vulnerability, reported on February 13, 2025, involved the CREATE2 opcode, which permitted the redeployment of contracts at existing addresses, potentially resetting their state. This flaw deviated from the standard Ethereum EVM behavior, where such redeployment is prohibited.

Security Impact Assessment

A comprehensive security impact assessment revealed that most factory contracts, like Swappi factories, were unaffected due to additional address conflict checks. However, Gnosis Safe contracts lacked these checks, posing a risk of state reset and enabling replay attacks on previously signed transactions.

The security assessment involved examining approximately 30 Gnosis Safe contracts, revealing that while most funds were secure, a minority might be at risk.

Security Response Process

Conflux acted swiftly to mitigate the threat by notifying ecosystem partners and facilitating the transfer of at-risk assets. The security upgrade process involved several phases:

• Vulnerability Fix and Integration Testing: Completed by February 21.
• Internal Testnet Upgrade: Conducted on February 24.
• Public Testnet Upgrade: Announced February 25, effective March 3.
• Mainnet Upgrade Deployment: Announced March 3, effective March 17.

Postmortem Analysis

The vulnerability stemmed from the Conflux EVM’s original code ported from OpenEthereum, which contained misleading comments and lacked clear error definitions. These factors led to a misunderstanding of Ethereum’s CREATE2 behavior, resulting in the omission of critical checks in Conflux’s implementation.

Bug Bounty Reward

Recognizing the severity of the vulnerability, Conflux awarded the GraFun team a total bounty of 60,000 CFX, acknowledging their timely report and the prevention of potential losses.

Follow-Up Actions and Security Enhancements

Looking ahead, Conflux plans to synchronize with Ethereum EVM features and integrate official test cases to prevent similar vulnerabilities. This move aims to enhance Conflux’s security and compatibility with Ethereum’s ecosystem.

The Conflux team remains dedicated to transparency and rapid response, ensuring the security of its ecosystem and the protection of user interests.