test(reentrancy): ERC1155-callback reentrancy regression for both vault types#325
test(reentrancy): ERC1155-callback reentrancy regression for both vault types#325thedavidmeister wants to merge 1 commit into
Conversation
…r both vaults Adds fuzz-backed regression tests for the reentrancy surface documented in issue #316 (rows 1/2/7 of the master call-site table): a malicious receiver that re-enters vault.deposit from inside onERC1155Received is rejected by the nonReentrant guard; the outer deposit reverts with ReentrancyGuardReentrantCall. Positive-control test confirms the same setup deposits successfully when the receiver is not reentrant. Covers OffchainAssetReceiptVault and ERC20PriceOracleReceiptVault. Closes #316. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 24 minutes and 43 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Adds fuzz-backed reentrancy regression tests covering the ERC1155 acceptance-callback surface documented in issue #316 (rows 1/2/7 of the master reentrancy call-site table).
OffchainAssetReceiptVault.reentrant.t.sol:testDepositReentrancyGuardFires— a malicious receiver that re-entersvault.depositfrom insideonERC1155Receivedis blocked by thenonReentrantguard; the outer deposit reverts withReentrancyGuardReentrantCall.testDepositSucceedsWithNonReentrantReceiver— positive control confirming the setup is valid.ERC20PriceOracleReceiptVault.reentrant.t.sol: same two tests for the oracle vault variant, exercising the base_beforeDepositERC20 transfer path in addition to the receipt callback.Both tests run 256 fuzz rounds locally (all pass).
No production code changes — test-only addition.
Closes #316
Test plan
forge test --match-path "test/src/concrete/vault/*reentrant*"— 4/4 pass, 256 fuzz rounds each🤖 Generated with Claude Code