Constructor calls _disableInitializers()

Hyperlane's assessment for RD-F-023 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Mailbox constructor does NOT call _disableInitializers(): `constructor(uint32 _localDomain) { localDomain = _localDomain; }` — confirmed from GitHub source AND Etherscan verified source (0x7b4D..., solc 0.8.19). HypERC20Collateral and HypNative constructors also lack this call. Only HypERC4626 was found to call _disableInitializers(). This is a class-wide gap: the implementation contracts (behind proxies holding $132.67M TVS) can be initialized directly by an attacker, potentially granting ownership over the implementation and enabling storage manipulation attacks on the proxy. Score: red.

Sources #

GitHub
Mailbox.sol — constructor missing _disableInitializers()Mailbox.sol constructor — `constructor(uint32 _localDomain) { localDomain = _localDomain; }` — no _disableInitializers()retrieved 2026-05-17
Etherscan
Ethereum Mailbox v3 Implementation — Etherscan Verified SourceEthereum Mailbox impl 0x7b4D881c122a5e61adCFfb56A2e3CE9927D53455 — verified source confirms constructor lacks _disableInitializers()retrieved 2026-05-17

Methodology #

Determine whether implementation contract constructors call `_disableInitializers()` to prevent re-initialization of the implementation directly.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-023 score red collected_at 2026-05-16 23:03:56