★ Public initialize() without initializer modifier

ether.fi's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

All sampled contracts with initialize() use the external initializer modifier: LiquidityPool (line 177), EETH (line 74), WeETH (line 64), EtherFiOracle, WithdrawRequestNFT, EtherFiAdmin, NodeOperatorManager, RoleRegistry, Liquifier. All constructors call _disableInitializers() to prevent implementation-level re-initialization. EtherFiNodesManager and StakingManager do not expose initialize() at all (use constructors). EtherFiNode uses a traditional constructor. Clean across all 12 sampled contracts — no one-tx exploit surface found.

Sources #

GitHub
WeETH — correct initializer + _disableInitializers patternWeETH.sol line 64 (initializer), line 59 (_disableInitializers)retrieved 2026-04-28
GitHub
LiquidityPool — correct initializer + _disableInitializers patternLiquidityPool.sol line 177 (initializer), line 159 (_disableInitializers)retrieved 2026-04-28
GitHub
EETH — correct initializer + _disableInitializers patternEETH.sol line 74 (initializer), line 70 (_disableInitializers)retrieved 2026-04-28

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ether-fi factor RD-F-022 score green collected_at 2026-04-28 13:58:46