★ Public initialize() without initializer modifier

Midas's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Midas uses a MidasInitializable base contract that calls _disableInitializers() in the constructor, preventing re-initialization of the implementation. All initialize() functions use the OZ initializer modifier — confirmed: mBASIS ABI shows 'function initialize(address _accessControl) public initializer'; mTBILL shows initialize(address) and initializeV2() patterns consistent with OZ upgradeable. Sherlock 2024-08 M-4 (Corruptible Upgradability via missing storage gaps in non-pure parent contracts) is a different vulnerability class from missing initializer protection — M-4 was fixed. No missing initializer modifier finding in any of the 4 audit engagements.

Sources #

Etherscan
mBASIS Implementation — EtherscanmBASIS impl ABI — initialize(address _accessControl) public initializer confirmedretrieved 2026-05-16
Etherscan
mTBILL Implementation — EtherscanmTBILL impl — initialize pattern, initializeV2() visible in ABIretrieved 2026-05-16
GitHub
Sherlock 2024-08 Judging M-4Sherlock 2024-08 M-4 (storage gap, not missing initializer) — fixedretrieved 2026-05-16

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol midas factor RD-F-022 score green collected_at 2026-05-16 09:34:55