Constructor calls _disableInitializers()

mETH Protocol's assessment for RD-F-023 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Confirmed _disableInitializers() in constructor of: Staking.sol, Oracle.sol, ReturnsAggregator.sol, UnstakeRequestsManager.sol, Pauser.sol, OracleQuorumManager.sol. L1cmETHAdapter constructor (0xaE96dF024b9cb69a39a219d7176df6e7e39fac44) does NOT call _disableInitializers() — it only sets token and endpoint addresses. The initialize() is still protected by the OZ initializer modifier, but the missing _disableInitializers() means a direct (unproxied) call to the implementation could be initialized with arbitrary parameters. Practical risk is low given TimelockController is proxy admin, but this deviates from OZ best practices.

Sources #

GitHub
Staking.sol — constructor calls _disableInitializers()Staking.sol constructor: '_disableInitializers()' — confirmed presentretrieved 2026-05-16
Etherscan
L1cmETHAdapter implementation — constructor missing _disableInitializers()L1cmETHAdapter impl (0xaE96dF024b9cb69a39a219d7176df6e7e39fac44): constructor sets token/endpoint only — no _disableInitializers() callretrieved 2026-05-16

Methodology #

Determine whether implementation contract constructors call `_disableInitializers()` to prevent re-initialization of the implementation directly.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meth-protocol factor RD-F-023 score yellow collected_at 2026-05-16 02:17:50