★ Public initialize() without initializer modifier

Venus Protocol's assessment for RD-F-022 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core Pool VToken.sol initialize() is public with admin check inside body (ensureAdmin(msg.sender)) and state guard (accrualBlockNumber==0), but no OZ initializer modifier. Isolated Pools VToken.sol correctly uses initializer modifier + _disableInitializers() in constructor. The Core Pool pattern is weaker than OZ standard but the combined admin+state guards prevent the one-tx unauthorized re-init exploit. Yellow (not red) because the state guard effectively prevents unauthorized re-initialization post-deploy.

Sources #

GitHub
VToken.sol initialize() — public, ensureAdmin inside body, no initializer modifierVToken.sol initialize() function — Core Poolretrieved 2026-04-28
GitHub
Isolated Pools VToken.sol — correct OZ initializer patternIsolated Pools VToken.sol — initializer + _disableInitializersretrieved 2026-04-28

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-022 score yellow collected_at 2026-04-28 18:30:49