★ Public initialize() without initializer modifier
QuickSwap's assessment for RD-F-022 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
AlgebraPool.initialize() is exposed as `external override` without OZ `initializer` modifier, but AlgebraPool instances are NOT proxy implementations — each pool is deployed DIRECTLY by AlgebraFactory (one contract per pair, no upgradeable proxy). The C4 issue #84 flagging initialize() front-running was DISPUTED by sponsor, consistent with direct-deploy design where each pool is initialized once by its creator. The `require(globalState.price == 0, 'AI')` state guard functions as a one-time lock. V2 core: no initialize() pattern. The RD-F-022 exploit scenario (proxy implementation takeover via unprotected initialize) does not apply to QuickSwap's architecture.
Sources #
- AuditC4 Finding #84 — Sponsor DisputedC4 issue #84 — initialize() front-running, sponsor DISPUTEDretrieved 2026-05-16
- AlgebraFactory PolygonscanAlgebraFactory verified — direct non-proxy deploy of poolsretrieved 2026-05-16
- AlgebraPool.sol — C4 2022-09 QuickSwapAlgebraPool.sol L276-285 — initialize() with price==0 guard, no OZ initializer modifierretrieved 2026-05-16
Methodology #
Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.
See the full factor methodology and distribution across all protocols →