★ Reinitializable implementation (no _disableInitializers)

Lista DAO's assessment for RD-F-143 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

LisUSD/hay.sol implementation does NOT call _disableInitializers() in constructor — confirmed from GitHub hay.sol and BscScan implementation 0xF5bd9b19. Interaction.sol also confirmed missing _disableInitializers(). Both use initialize() with OZ initializer modifier protecting proxy instances but not the raw implementation contracts. Any address can call initialize() directly on the implementation, potentially granting themselves ADMIN role.

Sources #

Etherscan
Lista DAO lisUSD implementation — no _disableInitializerslisUSD impl 0xF5bd9b19: LisUSD contract; no _disableInitializers in constructor; initialize() callable directlyretrieved 2026-05-12
GitHub
Lista DAO hay.sol — missing _disableInitializershay.sol: function initialize(uint256 chainId_, string memory symbol_, uint256 supplyCap_) external initializer — no constructor, no _disableInitializers()retrieved 2026-05-12

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lista-dao factor RD-F-143 score red collected_at 2026-05-12 17:54:05