Skip to content

test(reentrancy): ERC1155-callback reentrancy regression for both vault types#325

Open
thedavidmeister wants to merge 1 commit into
mainfrom
2026-06-21-issue-316-reentrancy-tests
Open

test(reentrancy): ERC1155-callback reentrancy regression for both vault types#325
thedavidmeister wants to merge 1 commit into
mainfrom
2026-06-21-issue-316-reentrancy-tests

Conversation

@thedavidmeister

Copy link
Copy Markdown
Collaborator

Summary

Adds fuzz-backed reentrancy regression tests covering the ERC1155 acceptance-callback surface documented in issue #316 (rows 1/2/7 of the master reentrancy call-site table).

  • OffchainAssetReceiptVault.reentrant.t.sol: testDepositReentrancyGuardFires — a malicious receiver that re-enters vault.deposit from inside onERC1155Received is blocked by the nonReentrant guard; the outer deposit reverts with ReentrancyGuardReentrantCall. testDepositSucceedsWithNonReentrantReceiver — positive control confirming the setup is valid.
  • ERC20PriceOracleReceiptVault.reentrant.t.sol: same two tests for the oracle vault variant, exercising the base _beforeDeposit ERC20 transfer path in addition to the receipt callback.

Both tests run 256 fuzz rounds locally (all pass).

No production code changes — test-only addition.

Closes #316

Test plan

  • forge test --match-path "test/src/concrete/vault/*reentrant*" — 4/4 pass, 256 fuzz rounds each
  • CI rainix-sol/test green
  • CI copy-artifacts green (no artifact changes)

🤖 Generated with Claude Code

…r both vaults

Adds fuzz-backed regression tests for the reentrancy surface documented in
issue #316 (rows 1/2/7 of the master call-site table): a malicious receiver
that re-enters vault.deposit from inside onERC1155Received is rejected by the
nonReentrant guard; the outer deposit reverts with ReentrancyGuardReentrantCall.
Positive-control test confirms the same setup deposits successfully when the
receiver is not reentrant. Covers OffchainAssetReceiptVault and
ERC20PriceOracleReceiptVault. Closes #316.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@thedavidmeister thedavidmeister self-assigned this Jun 21, 2026
@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@thedavidmeister, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 24 minutes and 43 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0a209176-f1c1-4d4f-bd5d-5a0cbe989ef2

📥 Commits

Reviewing files that changed from the base of the PR and between 8f68b12 and 1d086b8.

📒 Files selected for processing (3)
  • .pre-commit-config.yaml
  • test/src/concrete/vault/ERC20PriceOracleReceiptVault.reentrant.t.sol
  • test/src/concrete/vault/OffchainAssetReceiptVault.reentrant.t.sol
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 2026-06-21-issue-316-reentrancy-tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reentrancy audit report (full call-site table) — guide for reentrancy test coverage

1 participant