defirisk.co
rubric v1.7.0

CREATE2 factory permits same-address redeploy

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-144 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 UserProxyFactory uses CREATE2 for per-user proxy deployment (UserProxy per user). These are user-level contracts, not protocol-level contracts. Core protocol contracts (BorrowerOperations, TroveManager, StabilityPool etc.) are deployed directly, not via CREATE2 factory. No risk of protocol-level CREATE2 redeploy attack on core contracts.

Sources #

  • GitHub
    Liquity V2-gov GitHub RepositoryV2-gov GitHub: UserProxyFactory deploys per-user proxies via CREATE2; core protocol contracts deployed directly from deployer EOAretrieved 2026-05-16

Methodology #

Determine whether a CREATE2 factory deployment allows redeployment to the same address with different bytecode (via selfdestruct + redeploy pattern).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-144 score green collected_at 2026-05-16 10:35:50