★ Reinitializable implementation (no _disableInitializers)

Circle USYC's assessment for RD-F-143 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL] RolesAuthority implementation (0xb59B1568 on ETH, 0x8Cadc832 on BSC) does not call _disableInitializers() in constructor per Etherscan source analysis. BSC implementation 0x191Fb6f3 also lacks this call per BSCScan source review. Both are UUPS-upgradeable implementations backing $2.97B TVL. If the implementation addresses can be reinitialized, attacker who gains owner position can take over access control.

Sources #

Etherscan
RolesAuthority ETH impl - no _disableInitializersRolesAuthority impl 0xb59B1568: constructor does not call _disableInitializers() confirmed via source analysisretrieved 2026-05-16
Etherscan
USYCSatellite BSC impl - no _disableInitializers confirmedBSC impl 0x191Fb6f3: no evidence of _disableInitializers() call per BSCScan source reviewretrieved 2026-05-16

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol circle-usyc factor RD-F-143 score red collected_at 2026-05-15 21:56:43