Value DeFi: Uninitialized Pool Re-initialization (Missing initialized = true)

Summary #

Value DeFi suffered a Yield Aggregator / AMM on 2021-05-05, resulting in a loss of approximately $10M.

What happened #

Value DeFi lost $10M because a code migration omitted one line — `initialized = true` — letting any caller re-initialize their vStake pool, claim admin ownership, and drain it via their own emergency recovery function.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vStake pool was a new deployment (migration from old implementation)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vStake pool was a new deployment (migration from old implementation)]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
• RD-F-009 — related : Formal verification coverage — would have caught [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
• RD-F-024 — causal : Code complexity above threshold for audit coverage [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — initialize() call to a deployed pool contract by an external address is the attack signal; governanceRecoverUnsupported() call immediate...]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — code migrated/forked from own earlier implementation]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vStake pool was a new deployment (migration from old implementation)]