CREATE2 discovery: verifying a pool is who it claims to be

BlazePhoenix Engineering · updated 2026-07-17 · 5 min · written from the deployed bytecode

Abstract in 15 languages · resumo · resumen · 摘要 · 要旨 · ملخص

EnglishCREATE2 makes a legitimate pool's address computable before it exists: the Hub derives where the canonical pool MUST live and compares — impersonation becomes an address mismatch, not an exploit.

PortuguêsO CREATE2 torna o endereço de um pool legítimo computável antes de ele existir: o Hub deriva onde o pool canónico TEM de viver e compara — a personificação vira uma divergência de endereço, não um exploit.

EspañolCREATE2 hace computable la dirección de un pool legítimo antes de que exista: el Hub deriva dónde DEBE vivir el pool canónico y compara — la suplantación se vuelve una discrepancia de dirección, no un exploit.

FrançaisCREATE2 rend l'adresse d'un pool légitime calculable avant même son existence : le Hub dérive où le pool canonique DOIT résider et compare — l'usurpation devient un écart d'adresse, pas un exploit.

DeutschCREATE2 macht die Adresse eines legitimen Pools berechenbar, bevor er existiert: Der Hub leitet ab, wo der kanonische Pool liegen MUSS, und vergleicht — Identitätsbetrug wird zur Adressabweichung statt zum Exploit.

РусскийCREATE2 делает адрес легитимного пула вычислимым до его существования: Хаб выводит, где ОБЯЗАН находиться канонический пул, и сравнивает — подмена превращается в несовпадение адреса, а не в эксплойт.

TürkçeCREATE2, meşru bir havuzun adresini var olmadan önce hesaplanabilir kılar: Hub, kanonik havuzun YAŞAMAK ZORUNDA olduğu yeri türetir ve karşılaştırır — taklit, bir istismara değil adres uyuşmazlığına dönüşür.

العربيةيجعل CREATE2 عنوان المجمّع الشرعي قابلاً للحساب قبل وجوده: يشتق الـHub أين يجب أن يقيم المجمّع القانوني ويقارن — فيصبح الانتحال تعارضَ عناوين لا ثغرة.

हिन्दीCREATE2 वैध पूल का पता उसके अस्तित्व से पहले ही गणनीय बना देता है: Hub निकालता है कि कैनोनिकल पूल कहाँ होना ही चाहिए और तुलना करता है — नकल एक एड्रेस बेमेल बन जाती है, एक्सप्लॉइट नहीं।

日本語CREATE2は正当なプールのアドレスを、存在する前から計算可能にします。Hubは正規プールが必ず存在すべき場所を導出して照合します。なりすましはエクスプロイトではなくアドレス不一致になります。

中文CREATE2 让合法池的地址在其存在之前即可计算:Hub 推导出规范池必须所在的位置并进行比对——冒充变成了地址不匹配,而非漏洞利用。

한국어CREATE2는 정당한 풀의 주소를 존재하기 전부터 계산 가능하게 만듭니다. Hub는 정본 풀이 반드시 있어야 할 곳을 도출해 비교합니다. 사칭은 익스플로잇이 아니라 주소 불일치가 됩니다.

Bahasa IndonesiaCREATE2 membuat alamat pool yang sah dapat dihitung sebelum pool itu ada: Hub menurunkan di mana pool kanonis HARUS berada lalu membandingkan — penyamaran menjadi ketidakcocokan alamat, bukan eksploit.

বাংলাCREATE2 বৈধ পুলের ঠিকানা তার অস্তিত্বের আগেই গণনাযোগ্য করে: Hub নির্ণয় করে ক্যানোনিকাল পুল কোথায় থাকতেই হবে এবং তুলনা করে — ছদ্মবেশ একটি ঠিকানা-অমিল হয়ে যায়, এক্সপ্লয়েট নয়।

FilipinoGinagawa ng CREATE2 na makakalkula ang address ng lehitimong pool bago pa ito umiral: dinederive ng Hub kung saan DAPAT nakatira ang canonical pool at ikinukumpara — ang panggagaya ay nagiging address mismatch, hindi exploit.

Most protocols "discover" pools by being told about them: a registry entry, a config file, an event log. The problem is identity — a contract can implement a pool's interface, answer its view functions convincingly, and be something else entirely underneath. Interface compliance is a costume; anyone can wear it.

CREATE2 (EIP-1014) changes the question. Factories that deploy with CREATE2 produce addresses that are a pure function of factory address, init-code hash and salt (typically the token pair and fee tier). That means the address of a legitimate pool is COMPUTABLE before it even exists: keccak256(0xff ++ factory ++ salt ++ initCodeHash). Nobody can deploy a different contract at that address, and no impostor can occupy it.

Discovery as derivation, not directory

The Hub's discoverFor path exploits this: instead of asking "is this address in our list?", it derives where the canonical pool for a pair MUST live for each known factory and compares. A candidate claiming to be the WETH/USDC pool of a given factory either sits at the derived address or it is lying — the check is arithmetic, free of trust, and works for pools that were deployed after the Hub itself.

The deployed derivation covers eight resolution modes: four factory-staticcall families (getPair, getPool by fee, by stable flag, by tickSpacing) and four CREATE2 salt polynomials — keccak(t0,t1) packed for V2, abi.encode(t0,t1,fee) for V3, packed (t0,t1,stable) for Solidly clones, abi.encode(t0,t1,tickSpacing) for CL forks. Algebra-family DEXes (dynamic fees) are detected by a zero-fee sentinel: their salt omits the fee entirely and the CREATE2 origin is resolved via the factory's poolDeployer(), falling back to the factory itself. Every derivation then passes a hasCode guard — an address with no bytecode is discarded, so a wrong configuration fails silent-safe instead of routing into the void.

Combined with the fitness contest (see the Hub article), this closes both identity and quality: CREATE2 derivation proves a pool is genuine; capital-anchored fitness proves it is worth routing through. An attacker must fake an address that cannot be faked, or out-capitalize the market — both are the expensive kind of impossible.

Do not trust this page — reproduce it

Every claim above is checkable against the chain. Start here:

derive it yourself: cast compute-address --deployer <factory> --salt <keccak(token0,token1,fee)> --init-code-hash <hash> and compare with the pool address the Hub routes to

Contracts are verified on every chain we deploy to — addresses in the protocol manifest. Deeper formal treatment: the whitepaper (PDF). Standards cited: EIP-1014

Related engineering