★ Public initialize() without initializer modifier
Meteora's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Anchor (v0.31.0) enforces account initialization via #[account(init)] and #[account(init_if_needed)] constraints with PDA bump seeds and discriminators. The discriminator system prevents re-initialization (calling an init instruction on an already-initialized account fails the discriminator check at runtime). DBC program exposes initialize_virtual_pool_with_spl_token and initialize_virtual_pool_with_token2022 instructions using standard Anchor constraints. Eight audit firms across multiple versions with no published reinit vulnerability finding. The OZ initializer modifier equivalent is structurally enforced by the Anchor framework.
Sources #
- GitHubMeteora Program Audit Reports RepositoryMeteoraAg/audits - 8 firms, no reinit vulnerability found across all program versionsretrieved 2026-05-16
- DBC Program lib.rs - Instruction DefinitionsMeteoraAg/dynamic-bonding-curve/src/lib.rs - initialize_virtual_pool instructions with Anchor constraintsretrieved 2026-05-16
Methodology #
Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.
See the full factor methodology and distribution across all protocols →