★ Public initialize() without initializer modifier

Frax Finance's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No unprotected public initialize() on any live implementation contract found. FraxlendPair V1: has initialize() with AlreadyInitialized guard (custom pattern, not OZ modifier — but non-upgradeable standalone contract so re-init risk is limited to a separate attack vector). frxUSD OFT adapter: TransparentUpgradeableProxy with 'Initialized' events in ABI suggesting OZ initializer pattern used on implementation. sfrxETH: non-upgradeable ERC-4626 with constructor. FraxEtherRedemptionQueueV2: non-upgradeable with constructor. FraxGovernorAlpha/Omega: non-upgradeable. No one-tx exploit surface identified.

Sources #

Etherscan
frxUSD OFT Adapter Etherscan (Proxy)frxUSD OFT adapter TransparentUpgradeableProxy — Initialized events in ABIretrieved 2026-05-17
Etherscan
sfrxETH EtherscansfrxETH non-upgradeable ERC-4626 with constructorretrieved 2026-05-17
Etherscan
FraxlendPair V1 FRAX/FXS EtherscanFraxlendPair V1 — initialize() with AlreadyInitialized guard, standalone non-upgradeableretrieved 2026-05-17

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-022 score green collected_at 2026-05-16 20:44:31