★ Reinitializable implementation (no _disableInitializers)

Axelar Network's assessment for RD-F-143 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

AxelarGateway implementation (0x99B5FA03...) does NOT call _disableInitializers() in constructor. Uses setup() with onlyProxy modifier instead — setup() reverts if called directly on the implementation (not via proxy). This is a non-OZ pattern providing a different mitigation: direct setup() calls on implementation revert via onlyProxy. ITS Upgradable base (axelar-gmp-sdk-solidity/Upgradable.sol) also confirmed to have no _disableInitializers(). Attack vector requires bypassing onlyProxy, which is harder than the unguarded OZ initialize() class.

Sources #

GitHub
AxelarGateway.sol — GitHubAxelarGateway.sol: constructor does not call _disableInitializers(); setup() uses onlyProxy modifierretrieved 2026-05-17
GitHub
Upgradable.sol — axelar-gmp-sdk-solidityUpgradable.sol (ITS base): no _disableInitializers() call confirmed; upgrade() is onlyOwnerretrieved 2026-05-17

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-143 score yellow collected_at 2026-05-16 21:57:49