★ Reinitializable implementation (no _disableInitializers)

Beefy Finance's assessment for RD-F-143 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CRITICAL: BeefyVaultV7 uses OZ upgradeable initialize() with initializer modifier but NO _disableInitializers() call in any constructor. Confirmed by raw source inspection of BeefyVaultV7.sol and BaseAllToNativeFactoryStrat.sol — neither contract calls _disableInitializers(). Implementation contracts used as templates by BeefyVaultV7Factory are therefore re-initializable. An attacker who calls initialize() on the implementation address directly can claim ownership. While EIP-1167 clones have independent storage from the implementation, the implementation contract itself can be taken over if not locked.

Sources #

GitHub
BeefyVaultV7.sol — missing _disableInitializers()BeefyVaultV7.sol: function initialize(...) public initializer — no _disableInitializers() found anywhere in contractretrieved 2026-05-16
GitHub
BaseAllToNativeFactoryStrat.sol — missing _disableInitializers()BaseAllToNativeFactoryStrat.sol: uses __BaseStrategy_init() pattern; no _disableInitializers() in constructorretrieved 2026-05-16

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol beefy factor RD-F-143 score red collected_at 2026-05-16 13:10:30