★ Public initialize() without initializer modifier

Maple Finance's assessment for RD-F-022 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core V2 contracts use bespoke MapleProxied/NonTransparentProxy pattern without OZ Initializable — no public initialize() in the EVM sense; factory-controlled delegatecall init. MapleCCIPReceiver (UUPS, Jan 2026) exposes initialize(address,address) with likely OZ initializer modifier, but _disableInitializers() absence in constructor not confirmed from Etherscan ABI analysis. MapleLoanInitializer uses fallback-based init with no explicit re-initialization guard.

Sources #

GitHub
https://github.com/maple-labs/fixed-term-loan/blob/main/contracts/MapleLoanInitializer.solretrieved 2026-04-27
Etherscan
https://etherscan.io/address/0x23CEF2965Db19f67A996371F9Cb1A2F33D2b4821#coderetrieved 2026-04-27
GitHub
https://github.com/maple-labs/proxy-factory/blob/main/contracts/ProxyFactory.solretrieved 2026-04-27

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-022 score yellow collected_at 2026-04-27 05:38:08