defirisk.co
rubric v1.7.0

Constructor calls _disableInitializers()

Beefy Finance's assessment for RD-F-023 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

BeefyVaultV7 has no constructor (EIP-1167 clone) — no _disableInitializers() call. BeefyVaultV7Factory constructor deploys `new BeefyVaultV7()` as implementation template without calling _disableInitializers() or initialize() on it. The uninitialized implementation template is a recognized attack surface for cloning patterns. StratFeeManagerInitializable has no constructor and no _disableInitializers(). BaseAllToNativeStrat: same. Yellow — OZ initializer modifier provides first-call lock, but the implementation contract itself can be initialized by any caller (known best-practice violation; mitigated by factory pattern in practice but non-zero risk).

Sources #

  • GitHub
    BeefyVaultV7.solBeefyVaultV7.sol — no constructor body; _disableInitializers() not calledretrieved 2026-05-16
  • GitHub
    BeefyVaultV7Factory.sol constructorBeefyVaultV7Factory.sol constructor: `instance = new BeefyVaultV7()` without init or _disableInitializersretrieved 2026-05-16

Methodology #

Determine whether implementation contract constructors call `_disableInitializers()` to prevent re-initialization of the implementation directly.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol beefy factor RD-F-023 score yellow collected_at 2026-05-16 13:10:30