defirisk.co
rubric v1.7.0

Public initialize() without initializer modifier

Stake DAO's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

vlSDT (0x94818A7baa7e9F5dC62ce4da1B52ef9a760b80B8): no initialize() function — standard constructor(address _owner, address _boostRegistry). CurveYCRVVoter (0x52f541764E6e90eeBc5c21Ff570De0e2D63766B6): Solidity 0.5.17, constructor only, no proxy. sdCRV (0xD1b5651E55D4CeeD36251c61c50C889B36F6abB5): standard ERC-20 constructor. Votemarket V1 (0x0000000895cB182E6f983eb4D8b4E0Aa0B31Ae4c): standard constructor. LaPoste impl (0xbF0000F5c600b1a84fe08f8d0013002ebc0064fe): standard constructor. No unprotected initialize() found across all inspected implementation contracts.

Sources #

  • GitHub
    vlSDT GitHub SourcevlSDT.sol — constructor(address _owner, address _boostRegistry), no initialize()retrieved 2026-05-16
  • Etherscan
    vlSDT Etherscan SourcevlSDT 0x94818A7baa7e9F5dC62ce4da1B52ef9a760b80B8 — Exact Match, no initialize()retrieved 2026-05-16
  • Etherscan
    CurveYCRVVoter Etherscan SourceCurveYCRVVoter 0x52f541764E6e90eeBc5c21Ff570De0e2D63766B6 — non-upgradeable, constructor onlyretrieved 2026-05-16

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-022 score green collected_at 2026-05-16 12:29:20