★ Public initialize() without initializer modifier

PancakeSwap's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V2 PancakePair.initialize(address,address) is guarded by require(msg.sender == factory) — factory-only guard prevents unauthorized calls for this non-proxy architecture. V3 Pool has no initialize function (constructor-deployed). Infinity Vault has no proxy initialize pattern. MasterChef V2 uses a custom init() gated by onlyOwner. No exploitable unprotected initialize found on any live implementation.

Sources #

Etherscan
MasterChef V2 BscScanBscScan MasterChef V2 source — init() with onlyOwnerretrieved 2026-04-29
GitHub
pancake-smart-contracts GitHubPancakePair source — initialize guarded by factory checkretrieved 2026-04-29

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pancakeswap factor RD-F-022 score green collected_at 2026-04-28 19:10:57