★ Public initialize() without initializer modifier
Lombard Finance's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
All examined implementation contracts properly protect initialize(): (1) Consortium.sol — constructor() { _disableInitializers(); } AND function initialize(address _owner) external initializer; (2) BridgeV2.sol — constructor() { _disableInitializers(); } AND function initialize(address owner_, IMailbox mailbox_) external initializer; (3) NativeLBTC.sol — constructor() { _disableInitializers(); } AND function initialize(...) external initializer; (4) StakedLBTC.sol — constructor() { _disableInitializers(); } AND function initialize(address treasury, address initialOwner, uint48 initialOwnerDelay) external initializer. BasculeV2.sol uses a standard constructor (non-proxied) — no initialize() function, N/A for that contract. No unprotected initialize() found across reviewed contracts.
Sources #
- GitHubConsortium.sol — initialization patternConsortium.sol: constructor calls _disableInitializers(); initialize() has initializer modifierretrieved 2026-05-05
- BridgeV2.sol — initialization patternBridgeV2.sol: constructor calls _disableInitializers(); initialize() has initializer modifier; nonReentrant on deposit()retrieved 2026-05-05
- NativeLBTC.sol — initialization patternNativeLBTC.sol: constructor calls _disableInitializers(); initialize() has initializer modifierretrieved 2026-05-05
- StakedLBTC Implementation EtherscanStakedLBTC implementation 0x072072317469ebb6c340a47e41561c9c3b782bd9 — initialize() uses initializer modifier; constructor calls _disableInitializers()retrieved 2026-05-05
Methodology #
Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.
See the full factor methodology and distribution across all protocols →