The Hidden Risks Within Ethereum’s CREATE2 Function: A Guide to Navigating Blockchain Security

By Oded Vanunu, Dikla Barda, Roman Zaikin

The digital age has ushered in a wave of technological innovations, with blockchain technology standing at the forefront of this digital revolution. Ethereum, a key player in this space, has been pivotal in driving forward the adoption and development of blockchain technologies. However, with great innovation comes new vulnerabilities. Today, we’re delving into a less talked about yet critical issue in the blockchain community: the security risks associated with Ethereum’s CREATE2 function.

Highlights

• Unlocking New Possibilities, Inviting New Risks: Ethereum’s CREATE2 function, hailed for its technological advancement, is now being exploited by cyber criminals to compromise digital wallet security and facilitate unauthorized access to funds.
• A New Method of Attack: Attackers deceive users into approving transactions for smart contracts that are yet to be deployed. This loophole allows them to deploy malicious contracts subsequently and steal cryptocurrencies.
• Strengthening Our Defenses: This situation highlights the urgent need for wallet security enhancements to protect against the evolving strategies of cyber criminals and safeguard digital assets.

Understanding CREATE2

Introduced as part of Ethereum’s Constantinople upgrade, the CREATE2 function revolutionized the way smart contracts are deployed, enabling the creation of contracts with deterministic addresses even before the actual contract code is written. This feature significantly improves the predictability and efficiency of smart contract interactions, especially within the intricate ecosystems of decentralized applications (dApps). It facilitates the planning of interactions between multiple contracts, crucial for dApps’ seamless functionality.

The Security Dilemma

While CREATE2 showcases Ethereum’s cutting-edge capabilities, it also introduces a significant security loophole. Cybercriminals have exploited this feature to sidestep traditional security measures, crafting a novel method to victimize unsuspecting users. The vulnerability stems from CREATE2’s ability to deploy a smart contract at a predetermined address in the future, thereby enabling attackers to trick users into authorizing transactions with a nonexistent contract. Once the approval is given, the attacker can then deploy a malicious contract to that address, compromising the user’s cryptocurrency wallet.

The Attack Mechanism

1. The cyber criminal convinces the user to approve or increase the allowance for a contract that has not yet been deployed.
2. Since the contract does not exist at the time of approval, it evades detection by security solutions, which typically screen for threats based on existing contracts.
3. With the user’s authorization, the attacker deploys the malicious contract, accessing and exploiting the user’s funds.

This method not only demonstrates the innovative misuse of Ethereum’s features by malicious entities but also underscores a significant challenge for security products. Most security measures are designed to assess and validate transactions based on existing contracts and known behaviors. However, CREATE2’s allowance for future contract interactions bypasses these traditional security frameworks, leaving digital assets vulnerable.

Technical Overview of CREATE2

CREATE and CREATE2 are Ethereum opcodes that enable smart contract deployment, differing primarily in how the new contract’s address is determined. CREATE determines the contract’s address based on the creator’s address and a nonce. In contrast, CREATE2 offers a more flexible approach, calculating the contract’s address using a user-specified salt, the creator’s address, and the contract’s initialization code. This method involves a complex calculation that includes a constant prefix, the sender’s address, a chosen salt, and the contract’s initialization code, paving the way for deterministic address computation.

Securing the Digital Frontier

The exploitation of the CREATE2 function underscores the continuous battle between innovation and security in the blockchain sphere. As Ethereum evolves, so must the security mechanisms designed to protect its users from sophisticated attacks. Awareness and education are crucial first steps in defending digital assets against emerging threats. Blockchain developers and users must remain vigilant, continually updating their security practices to stay ahead of potential risks. Check Point’s Threat Intel Blockchain system plays a vital role in this the crypto space securely.

For a deeper dive into this check out our CP<R> Blog.