CVE-2025-53638 is a medium severity vulnerability affecting the Solady library, a collection of Solidity snippets and APIs provided by Vectorized. The issue exists in versions from 0.0.125 up to, but not including, 0.1.24. The vulnerability arises when an account is deployed via a proxy contract and the initialization function is called using standard Solidity calls. In such cases, if the initialization function does not return a boolean or any return data, the call may silently fail. This silent failure occurs because Solidity uses the extcodesize opcode on the proxy address to determine if the call was successful. However, this check is insufficient when the proxy points to an empty implementation contract, which has no code and thus an extcodesize of zero. As a result, the initialization function's failure is not detected, potentially leaving the contract in an uninitialized or improperly initialized state. This can lead to logical errors or security weaknesses in the deployed contract. The vulnerability is classified under CWE-754, which relates to improper checks for unusual or exceptional conditions. The recommended mitigation is to upgrade to Solady version 0.1.24 or later, where this issue has been patched. Additionally, it is advised to redeploy any affected implementations and their factory contracts on new Ethereum Virtual Machine (EVM) chains to avoid exploitation. The CVSS 4.0 score is 6.9, indicating a medium severity level, with no privileges required, no user interaction, and network attack vector. The impact primarily affects the integrity and reliability of smart contract deployments using Solady proxies with initialization functions that do not return data.

For European organizations involved in blockchain development, decentralized finance (DeFi), or any applications deploying smart contracts on EVM-compatible chains, this vulnerability poses a significant risk. Silent initialization failures can lead to contracts being deployed without proper setup, potentially exposing them to unauthorized access, logic errors, or inability to perform critical functions. This can result in financial losses, reputational damage, and regulatory scrutiny, especially under the EU's stringent data protection and operational security regulations. Since the vulnerability affects proxy-based deployments—a common pattern in upgradeable smart contracts—many projects using Solady could be impacted if they have not upgraded. The inability to detect failed initialization calls may also complicate incident response and forensic analysis. Although no known exploits are reported in the wild yet, the medium severity and ease of exploitation without authentication mean attackers could exploit this flaw to disrupt contract operations or manipulate contract state.

1. Immediate upgrade to Solady version 0.1.24 or later for all projects using affected versions (>=0.0.125 and <0.1.24). 2. Redeploy all affected proxy contracts and their factory contracts on EVM chains to ensure proper initialization and patch application. 3. Implement additional verification mechanisms in deployment scripts to confirm successful initialization, such as explicit return value checks or event emissions signaling successful setup. 4. Conduct thorough audits of existing deployed contracts to identify any that may have been silently failed during initialization and assess their state and security posture. 5. For future development, avoid relying solely on extcodesize for call success verification; consider alternative patterns or Solidity features that provide explicit success/failure feedback. 6. Monitor blockchain activity for anomalous transactions related to proxy deployments using Solady to detect potential exploitation attempts early.