From f09f718d7ff28c9e6b22a38355e2c1b383b49b39 Mon Sep 17 00:00:00 2001 From: thedavidmeister Date: Mon, 4 May 2026 17:04:40 +0400 Subject: [PATCH] enumerate LibFlow.flow reentrancy surface in NatSpec The existing "responsibility of the caller" line is correct but a future caller had to re-derive the surface from scratch. NatSpec now lists the four entry points: interpreterStore.set, ERC721 onERC721Received, ERC1155 onERC1155Received, and ERC777-style ERC20 callbacks via ERC1820. Closes #309. Co-Authored-By: Claude Opus 4.7 (1M context) --- src/lib/LibFlow.sol | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/lib/LibFlow.sol b/src/lib/LibFlow.sol index 3bfe7ce9..07dc7fe1 100644 --- a/src/lib/LibFlow.sol +++ b/src/lib/LibFlow.sol @@ -142,7 +142,18 @@ library LibFlow { /// Processes a flow transfer. Firstly sets state for the interpreter on the /// interpreter store. Then processes the ERC20, ERC721 and ERC1155 transfers /// in the flow. Guarantees ordering of the transfers but DOES NOT prevent - /// reentrancy attacks. This is the responsibility of the caller. + /// reentrancy attacks. The caller MUST apply a reentrancy guard around any + /// entrypoint that reaches this function. The reentrancy surface is: + /// 1. `interpreterStore.set` — external call to an arbitrary store contract + /// chosen by the flow deployer. + /// 2. ERC721 `safeTransferFrom` — invokes `onERC721Received` on a contract + /// recipient. + /// 3. ERC1155 `safeTransferFrom` — invokes `onERC1155Received` on a contract + /// recipient. + /// 4. ERC20 `safeTransfer` / `safeTransferFrom` — non-reentrant for + /// compliant ERC20s, but ERC777 (which presents an ERC20 interface) + /// invokes `tokensToSend` on the sender and `tokensReceived` on the + /// recipient via the ERC1820 registry. /// `set` is skipped entirely when `kvs.length == 0`. Stores that need to /// observe every flow invocation (e.g. for audit logging) cannot rely on /// `set` being called for empty kvs.