★ Public initialize() without initializer modifier

Axelar Network's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

AxelarGateway does not expose a standard initialize() function. Instead it uses setup(bytes) gated by onlyProxy modifier in Implementation.sol (reverts if implementationAddress == address(this), preventing direct-impl calls). The ITS proxy uses InterchainProxy with a custom setup gate. No unprotected initialize() on any core implementation contract. One-tx exploit via public initialize() is not possible.

Sources #

Etherscan
AxelarGateway Implementation - No initialize() ConfirmedAxelarGateway impl 0x99B5FA03 - setup function confirmed with onlyProxy, no initialize() functionretrieved 2026-05-17
GitHub
Implementation.sol - onlyProxy GuardImplementation.sol onlyProxy modifier: if (implementationAddress == address(this)) revert NotProxy()retrieved 2026-05-17

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-022 score green collected_at 2026-05-16 21:57:49