★ Reinitializable implementation (no _disableInitializers)
StakeWise v3's assessment for RD-F-143 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
OsToken.sol is a direct deployment (non-proxy), uses standard constructor (not initialize()), and does not require _disableInitializers(). VaultsRegistry and Keeper are also direct Ownable2Step deployments. The reinitializer risk applies to proxied vault implementation contracts (EthVault, etc.) which use factory-based initialize() — this is a Cat 1 handoff for code-security-analyst to verify _disableInitializers() in vault impl constructors. Governance-relevant contracts are not re-initializable.
Sources #
- GitHubOsToken.sol — GitHub stakewise/v3-coreOsToken.sol: constructor(address _owner, address vaultController, ...) with no _disableInitializers() call needed; no initialize() functionretrieved 2026-05-16
- VaultsRegistry source — EtherscanVaultsRegistry 0x3a0008a5: direct Ownable2Step deployment, constructor-based initretrieved 2026-05-16
Methodology #
Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.
See the full factor methodology and distribution across all protocols →