★ Public initialize() without initializer modifier

Evidence summary #

USDf impl initialize(address admin) — modifier not confirmed in ABI. sUSDf impl initialize() inherits Initializable (OZ) with _disableInitializers mechanism. Zellic medium finding: StakedUSDf initialization may fail (0,0 params). No evidence of completely unprotected open initializer. Closed source prevents full verification.

Detail #

USDf implementation at 0x3aDf34C09DAC24E4BAeFB1b1df4C2992edC2b789 exposes initialize(address admin) — Etherscan shows this as nonpayable but the 'initializer' modifier is not explicitly visible in the ABI representation. The constructor shows empty constructor() nonpayable consistent with OZ pattern. sUSDf implementation at 0x0D132bEE412E6619a4863AEEdad97541BfDa3F34 has initialize(IERC20 usdf, address admin, USDfSilo silo_, uint32 initialVesting, uint24 initialCooldown) and Etherscan notes it inherits from Initializable (OZ) with _disableInitializers() mechanism. Zellic's medium finding 'StakedUSDf initialization may fail' is about parameter validation (vestingPeriod and cooldownDuration both settable to zero simultaneously) — not about the initializer lock being absent. This is a logic bug in initialization parameters, not a re-initialization exploit. Scored yellow (not red) because: (1) TransparentUpgradeableProxy admin controls who can call initialize; (2) Zellic explicitly reviewed initialization and found only a parameter validation issue, not an open re-init path; (3) The Initializable inheritance and _disableInitializers() mechanism is confirmed for sUSDf.

Sources #

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →