★ Public initialize() without initializer modifier

Orca's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The OpenZeppelin initializer modifier / unprotected initialize() pattern is an EVM Solidity vulnerability class (proxy re-initialization). Anchor Rust programs use discriminator-based account initialization (#[account(init, ...)]) which is enforced at the Solana runtime level — once an account is initialized with a discriminator, it cannot be re-initialized by any caller. No unprotected EVM-style initialize() surface exists. The program is fully open-source; all 6 audit engagements across 4 firms would have flagged this class of vulnerability if present. Zero exploit history in 4+ years corroborates the green finding.

Sources #

Audit
Neodyme Orca Whirlpools Audit 2022-05-05https://dev.orca.so/.audits/2022-05-05.pdfretrieved 2026-05-16
GitHub
Whirlpool program lib.rs (Anchor/Rust — confirms non-EVM substrate)https://github.com/orca-so/whirlpools/blob/main/programs/whirlpool/src/lib.rsretrieved 2026-05-16

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol orca factor RD-F-022 score green collected_at 2026-05-16 02:39:16