defirisk.co
rubric v1.7.0

Reinitializable implementation (no _disableInitializers)

JustLend DAO's assessment for RD-F-143 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CToken.sol has initialize() with manual guard require(accrualBlockNumber == 0 && borrowIndex == 0) — TVM substrate equivalent of re-initialization protection (OZ _disableInitializers() is EVM-specific and not applicable here). CErc20.sol analysis indicates initialize() may reset critical parameters if state variables can be zeroed. Partial mitigation via state-variable guard but not the OZ constructor-pattern lock. Yellow: TVM substrate makes OZ test structurally inapplicable; CToken guard provides partial protection; code-security-analyst must verify CErc20 path with full TVM bytecode analysis.

Sources #

  • GitHub
    JustLend CToken.sol — initialize() manual guardCToken.sol: function initialize() — require(accrualBlockNumber == 0 && borrowIndex == 0, 'market may only be initialized once') — manual re-init guard using state variables.retrieved 2026-05-17
  • GitHub
    JustLend CErc20.sol — initialize() reinit riskCErc20.sol: initialize() function analysis shows it 'can be called multiple times to reset critical parameters like the underlying asset and exchange rate without access controls or initialization guards.'retrieved 2026-05-17

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol justlend factor RD-F-143 score yellow collected_at 2026-05-17 10:25:32