★ Reinitializable implementation (no _disableInitializers)
BENQI's assessment for RD-F-143 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Ignite staking contract (Cyfrin 2025-01 audit scope — zeeve/contracts/staking.sol) calls _disableInitializers() in its constructor — green for this component. QiErc20Delegate (Compound V2 lending implementation): uses becomeImplementation() pattern not OZ initializer — _disableInitializers() applicability differs but reinit risk from direct implementation call exists in principle. StakedAvax deployed ~2022 predates OZ 4.x _disableInitializers() standard; Certora formal verification (April 2022) confirmed core logic but constructor protection not confirmed. Scored yellow: newer module protected; core older components uncertain.
Sources #
- AuditCertora Formal Verification — BENQI StakedAvaxCertora formal verification of StakedAvax (April 2022) — confirms core logic correctness but predates _disableInitializers() standardretrieved 2026-05-16
- staking.sol — Cyfrin/2025-01-benqi GitHubCyfrin 2025-01 BENQI audit: staking.sol includes _disableInitializers() in constructorretrieved 2026-05-16
Methodology #
Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.
See the full factor methodology and distribution across all protocols →