★ Reinitializable implementation (no _disableInitializers)

Lido's assessment for RD-F-143 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

stETH implementation uses initialize() without _disableInitializers() in constructor. Aragon kernel's ACL provides partial mitigation (initialize() is access-controlled). The canonical OZ protection guard is absent. Risk is partially mitigated by Aragon permission model but not eliminated by standard OZ mechanism.

Sources #

URL
0x6ca84080381e43938476814be61b779a8bb6a600https://etherscan.io/address/0x6ca84080381e43938476814be61b779a8bb6a600retrieved 2026-04-28

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lido factor RD-F-143 score yellow collected_at 2026-04-28 13:58:42