★ Reinitializable implementation (no _disableInitializers)

Chainlink CCIP's assessment for RD-F-143 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core CCIP contracts (OnRamp, OffRamp, FeeQuoter, ARM) use constructor-only initialization with no OZ Initializable proxy pattern. No initialize() function exists in these contracts. Router is immutable. No reinitializer attack surface exists. This class of vulnerability does not apply to CCIP's non-proxy architecture.

Sources #

GitHub
OnRamp.sol — Code4rena 2024-11-chainlinkOnRamp.sol — constructor at lines 174-186, no initialize(), no _disableInitializers(), no upgradeable proxy patternretrieved 2026-05-16
Etherscan
ARM Implementation — EtherscanARM implementation 0x8B63b3... — confirmed: constructor-only initialization, no initialize(), standalone contractretrieved 2026-05-16
GitHub
OffRamp.sol — Code4rena 2024-11-chainlinkOffRamp.sol — constructor-based initialization confirmed; no proxy/upgradeable patterns detectedretrieved 2026-05-16

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-143 score not_applicable collected_at 2026-05-16 01:55:09