F-2025-0010·missing-disable-initializers

Missing initializer protection enables potential initialization hijacking

Fixedstakingnft-boostrewards
TL;DR

Upgradeable StakingContract implementation is missing _disableInitializers() in its constructor, leaving the implementation contract initializable directly via the proxy pattern.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

This issue was raised during the mitigation period while reviewing F-2025-0007.

The upgradeable StakingContract implementation is missing the _disableInitializers() call in its constructor.

When using the transparent proxy pattern with OpenZeppelin's upgradeable contracts, the implementation contract should have its initializers disabled to prevent attackers from directly initialising the implementation contract (not the proxy).

Without this protection, an attacker could potentially:

  1. Call initialize() directly on the implementation contract.
  2. Set themselves as the owner of the implementation.
  3. Potentially cause confusion or interfere with proxy operations.
03Section · Recommendation

Recommendation

Add a constructor that disables initializers:

solidity
/// @custom:oz-upgrades-unsafe-allow constructor
constructor() {
    _disableInitializers();
}
04Section · Resolution

Resolution

Ample Protocol: Fixed.

Zealynx: Verified.

Status
Fixed
ZEALYNX SECURITY · published 2025-05-19
F-2025-0010

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx