Crypto Training
Metamorphic Contracts Across Chains: CREATE2 Trust Breaks in Practice
Address-based trust assumptions fail when runtime code can change behind the same address on chains with divergent SELFDESTRUCT semantics.
Crypto Training•2026-01-07•2 min read
Many protocols still treat contract address as identity.
That assumption is fragile when deployment and destruction semantics differ across chains.
Why cross-chain makes this worse#
Not all EVM chains adopted the same fork behavior at the same time.
If your protocol spans multiple chains, you cannot assume uniform SELFDESTRUCT risk.
| Assumption | Unsafe outcome |
|---|---|
| “Mainnet changed semantics, so we’re safe everywhere” | L2 or alt-EVM may still permit old patterns |
| “Address allowlist is enough” | same address can host changed code path |
| “Explorer code tab reflects full trust” | upgrade/redeploy windows can desync checks |
Identity model upgrade: address + codehash + policy#
function _assertTrusted(address target, bytes32 expectedCodehash) internal view {
require(target.code.length > 0, "no-code");
bytes32 got = keccak256(target.code);
require(got == expectedCodehash, "codehash-mismatch");
}
For long-lived integrations, use rotating policy with timelocked updates to expected hashes.
Monitoring architecture#
CREATE2 and constructor-state dependency#
Even without selfdestruct, contracts that use external state in constructor can produce semantically unexpected runtime at deterministic addresses.
That means deterministic address alone is not sufficient evidence of expected behavior.
Audit checklist#
- Is any critical authorization based on address-only trust?
- Are codehash checks present and enforced on every critical call path?
- Are cross-chain deployment semantics explicitly documented per chain?
- Is there a controlled rotation mechanism for trusted code identities?