★ Public initialize() without initializer modifier

Marinade Finance's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Anchor BPF program uses #[account(zero)] constraint on the state account in the initialize instruction — this constraint requires the account to be zero-initialized before execution, and Anchor writes an 8-byte discriminator prefix on first initialization. Any subsequent initialize call fails because the account is no longer zero. This is the Solana-native functional equivalent of OZ initializer modifier. No #[account(init_if_needed)] misuse found for the main state initialization. The Neodyme + Sec3 2023 audits would have flagged any re-initialization vulnerability as a well-known Anchor security pattern.

Sources #

Audit
Neodyme Marinade 2023 AuditNeodyme + Sec3 2023 audits covered the v2.0 code including initialization patternsretrieved 2026-05-16
GitHub
Marinade initialize instruction sourceadmin/initialize.rs using #[account(zero)] constraint confirmed via WebFetchretrieved 2026-05-16

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol marinade factor RD-F-022 score green collected_at 2026-05-16 08:48:35