Constructor calls _disableInitializers()

BENQI's assessment for RD-F-023 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

StakedAvax.sol constructor: 'constructor() initializer public {}' — uses initializer modifier on constructor but does NOT call _disableInitializers(). This is a Solidity 0.6.12 + older OZ vintage pattern; _disableInitializers() was introduced in OZ 4.x and is standard for modern proxied implementations. An attacker could potentially call initialize() directly on the implementation contract (not via the proxy) if the initializer guard does not track the implementation state separately from the proxy state. The risk is partially mitigated by the initializer modifier, which tracks the initialized flag in the implementation's own storage. For the Compound V2 lending contracts (not OZ-proxy), this factor does not apply. Yellow: absent in a proxied implementation contract where the pattern is expected.

Sources #

GitHub
StakedAvax.sol — constructor analysisStakedAvax.sol constructor — 'constructor() initializer public {}' without _disableInitializers()retrieved 2026-05-16

Methodology #

Determine whether implementation contract constructors call `_disableInitializers()` to prevent re-initialization of the implementation directly.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-023 score yellow collected_at 2026-05-16 11:02:12