★ Reinitializable implementation (no _disableInitializers)

deBridge's assessment for RD-F-143 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

DeBridgeGate impl (0x797161bc...), DlnSource impl (0x322B481...), and DlnDestination impl (0xE540eb6B...) constructors do NOT call _disableInitializers(). All three core implementation contracts are potentially reinitializable if accessed directly — proxy takeover vector.

Sources #

URL
https://github.com/debridge-finance/debridge-securityretrieved 2026-05-06
Etherscan
https://etherscan.io/address/0x322B481088143d9FF74e4169Fb7f12f7808690DF#coderetrieved 2026-04-28
Etherscan
https://etherscan.io/address/0x797161bcc625155d2302251404ccb93c2632658e#coderetrieved 2026-04-28
Etherscan
https://etherscan.io/address/0xE540eb6Bfee129d28d47e26ad33A138d66FD78f5#coderetrieved 2026-04-28
URL
https://debridge.finance/blog/halborn-completes-security-audit-of-the-debridge-protocol/retrieved 2026-05-06

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-143 score red collected_at 2026-04-28 01:27:58