defirisk.co
rubric v1.7.0

Public initialize() without initializer modifier

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor assesses whether any implementation contract in the protocol's proxy architecture exposes an initialize() function (or equivalent setup function) without OpenZeppelin's initializer modifier or an equivalent one-time-call guard. The static analyzer checks deployed bytecode for the presence of a function selector matching initialize(...) on implementation contracts (not proxies) and verifies whether the modifier's revert-if-already-initialized guard is present.

**Why it matters** An unguarded initialize() on an implementation contract allows any caller to invoke it directly, resetting ownership or critical parameters to attacker-controlled values in a single transaction. This is a known one-transaction exploit class: because the implementation's storage is separate from the proxy's storage, the attack does not affect proxy state -- but it can redirect upgrade authority or allow the attacker to call selfdestruct on the implementation, bricking all proxies pointing to it. Unstructured storage patterns in upgradeable contracts hinder static analysis; initialization guards require manual curator review. The Parity wallet freeze ($150M locked permanently) is the canonical example of an unguarded initWallet() on a library contract called by any user.

**Green / Yellow / Red** Green: all implementation contracts either call _disableInitializers() in the constructor (the OpenZeppelin-recommended pattern) or carry the initializer modifier on any initialize-type function, confirmed by static analysis of deployed bytecode. Yellow: the initializer modifier is present but the constructor does not call _disableInitializers(), leaving a narrow race condition window at deploy time. Red: an implementation contract exposes a public initialize() or similar function with no one-time-call guard, allowing any address to claim ownership or reset protocol parameters.

**Common gray cases** Curators legitimately cannot grade this factor when the protocol's source code is not verified on any explorer, making static analysis of the initialization path impossible.

***** Critical factor This factor is critical under rubric v1.7.0: a single Red assessment is sufficient to trigger a D or F grade regardless of all other category scores, because an unguarded initialize() represents a one-transaction total-compromise vector on the protocol's upgrade authority.

Measurement what to look for #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

Data & output #

Data source
Slither `uninitialized-local` + `missing-zero-check` + `unprotected-upgrade` detectors + source search for `initialize` function signature
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Slither output JSON + function signature + modifier list
Confidence signal
green = all `initialize` functions protected by `initializer` or equivalent; red = any unprotected `initialize` on a live implementation; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-022
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron yellow Kamino Lend solana not_applicable Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon not_applicable Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum yellow Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc yellow Wormhole ethereum green Yearn Finance ethereum yellow
0 red · 9 yellow · 59 green

Linked hacks 1 historical incident #

illustrativeBalancer V2 (Composable Stable Pools) — `_upscale()` rounding-down compounded across 65+ micro-swaps2025-11-03 · $128M · `_upscale()` rounding-down compounded across 65+ micro-swaps · Cat 9 hygiene pattern: audited but not stress-tested under batch composition; live 4+ years before vector discovered
rubric_version v1.7.0 factor RD-F-022 category 1 carried 80 critical yes