★ Public initialize() without initializer modifier

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-022 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

UniswapV2Factory (0xc0aEe478, pragma 0.6.12, Etherscan 'Exact Match' verified): uses constructor only, no initialize() function. UniswapV3Factory (0xbaceb8ec, pragma 0.7.6, Etherscan verified): uses constructor only, no initialize() function — three fee tiers pre-configured at deploy. SushiXSwapV2.sol (pragma 0.8.10): uses constructor(IRouteProcessor _rp, address _weth), no initialize(). No proxy-upgradeable pattern in core contracts means no unprotected initialize() risk. Kashi 2022 exploit was stale-oracle logic, not an initialize() re-entrancy.

Sources #

Etherscan
SushiV3Factory Etherscan sourceUniswapV3Factory source — constructor() sets 3 fee tiers; no initialize(); owner = deployerretrieved 2026-05-17
GitHub
SushiXSwapV2.sol raw sourceSushiXSwapV2.sol — constructor(IRouteProcessor _rp, address _weth); no initialize()retrieved 2026-05-17
Etherscan
SushiV2Factory Etherscan sourceUniswapV2Factory source — constructor(_feeToSetter) only; no initialize() functionretrieved 2026-05-17

Methodology #

Determine whether any implementation contract exposes `initialize(…)` without the OpenZeppelin `initializer` modifier or equivalent initialization lock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-022 score green collected_at 2026-05-16 19:50:37