★ Reinitializable implementation (no _disableInitializers)

Maple Finance's assessment for RD-F-143 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

_disableInitializers() absent from entire maple-core-v2 repo (GitHub search: 0 files). NonTransparentProxied base has no constructor calling this guard. Implementation contracts behind NonTransparentProxy lack reinitialization protection.

Detail #

A GitHub search of the maple-labs/maple-core-v2 repository for _disableInitializers returned 0 results. The NonTransparentProxied base contract (from the non-transparent-proxy repo) does not call _disableInitializers() in its constructor. The MapleGlobals implementation and other proxied contracts therefore lack the standard guard against direct implementation initialization. This creates a path where, if the proxy's EIP-1967 admin slot were manipulated (e.g., via a governance exploit or storage collision), the implementation contract itself could be initialized directly.

Sources #

URL
https://cantina.xyz/blog/cantina-case-study-maple-financeretrieved 2026-05-06
URL
https://docs.maple.finance/technical-resources/security/securityretrieved 2026-05-06
GitHub
https://github.com/maple-labs/non-transparent-proxy/blob/main/contracts/NonTransparentProxied.solretrieved 2026-04-27
GitHub
https://github.com/maple-labs/maple-core-v2/search?q=_disableInitializersretrieved 2026-04-27

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-143 score red collected_at 2026-04-27 05:38:08