defirisk.co
rubric v1.7.0

Constructor calls _disableInitializers()

Wormhole's assessment for RD-F-023 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Wormhole EVM implementation contracts do not call `_disableInitializers()` (OZ pattern introduced in OZ 4.6+). They use their own `initializer` modifier pattern instead, which achieves the same end goal by checking the implementation address against a mapping. The custom pattern was the root of the 2022 Immunefi finding (state could be cleared) but is now properly initialized. The absence of `_disableInitializers()` means the OZ canonical defense pattern is not in place; however the functiona...

Sources #

  • Curator note
    Extracted from 01-code-security.md — RD-F-023 finding; no URL cited in originalretrieved 2026-04-28

Methodology #

Determine whether implementation contract constructors call `_disableInitializers()` to prevent re-initialization of the implementation directly.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-023 score yellow collected_at 2026-04-28 01:38:43