★ Public initialize() without initializer modifier
stHYPE (Valantis Labs)'s assessment for RD-F-022 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
stHYPE token implementation (0xe71cAF5c): initialize() confirmed with OZ initializer modifier and constructor calls _disableInitializers(). wstHYPE implementation (0x104324): minimal constructor, OZ Initializable pattern. OverseerV1 implementation (0xaC43e7a1): ABI shows initialize() and initializeV3() functions; source is verified on hyperevmscan but modifier text was not confirmed via parsed source — ABI-only inspection is inconclusive. No unprotected initialize() confirmed; marking yellow rather than green due to residual uncertainty on OverseerV1 modifier from ABI-only view. Protocol's 4-firm audit history makes an unprotected initialize extremely unlikely.
Sources #
- URLstHYPE token implementation — initializer modifier confirmedhyperevmscan.io/address/0xe71cAF5c1fe56d8897c7b604295d23968049e057#code — initializer modifier + _disableInitializers() confirmed in sourceretrieved 2026-05-17
- OverseerV1 implementation — ABI only for initialize modifier statushyperevmscan.io/address/0xaC43e7a1467bf6a4db24bf1f121fb59be6c9f831#code — ABI shows initialize(), modifier status from ABI onlyretrieved 2026-05-17
- wstHYPE implementation — OZ Initializable pattern confirmedhyperevmscan.io/address/0x104324863cfb2220756c60384efa9bb67a57aaf7#code — wstHYPE implementation OZ Initializable confirmedretrieved 2026-05-17
Methodology #
Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.
See the full factor methodology and distribution across all protocols →