★ Public initialize() without initializer modifier

Morpho V1 (Morpho Blue + MetaMorpho)'s assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Morpho Blue has no initialize() function — uses traditional constructor with newOwner parameter; MetaMorpho deployed via constructor with salt (not proxy initializer); no unprotected initialize() on any core contract.

Detail #

The ★ critical factor for unprotected initialize() does not apply to Morpho Blue because the protocol uses a plain constructor pattern throughout. Morpho.sol constructor: `constructor(address newOwner)` sets owner and DOMAIN_SEPARATOR. MetaMorpho factory deploys vaults via `new MetaMorpho{salt: salt}(initialOwner, MORPHO, initialTimelock, asset, name, symbol)` — also constructor-based. No proxy-initializer pattern exists in the deployed system that would expose a public initialize() vector.

Sources #

Etherscan
https://etherscan.io/address/0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb#coderetrieved 2026-04-27
GitHub
https://github.com/morpho-org/metamorpho/blob/main/src/MetaMorphoFactory.solretrieved 2026-04-27
GitHub
https://github.com/morpho-org/morpho-blue/blob/main/src/Morpho.solretrieved 2026-04-27

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol morpho-v1 factor RD-F-022 score green collected_at 2026-04-30 21:19:13