defirisk.co
rubric v1.7.0

Reentrancy guard on external-calling functions

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor assesses whether all functions that perform an external call before completing state updates carry a nonReentrant modifier or an equivalent reentrancy guard. The assessment is performed by static analysis: for each function containing an external CALL or DELEGATECALL opcode, the tool verifies whether a reentrancy lock (storage slot or transient storage flag) is set before the call and cleared after. Functions that follow strict Checks-Effects-Interactions ordering without a lock are reviewed manually.

**Why it matters** Reentrancy is the most persistently exploited vulnerability class in DeFi history, accounting for approximately 15 hacks in the T-01 evidence inventory. The Compound fork reentrancy pattern -- where a callback token triggers a reentrant borrow or exitMarket() before the protocol updates the caller's balance -- was exploited four times across Cream Finance, Voltage/Ola, Hundred Finance, and Fei/Rari Fuse. Each time, the same CEI violation was present in a different fork of the same codebase. The nonReentrant guard is a low-cost, high-coverage defense that eliminates the entire callback-reentrancy class; its absence on externally-calling functions is a clear code quality gap.

**Green / Yellow / Red** Green: all functions that make external calls before completing state updates carry nonReentrant or equivalent guards, confirmed by static analysis of deployed bytecode. Yellow: reentrancy guards are present on primary fund-moving functions but absent on peripheral functions (e.g., reward claims, fee collection) that make external calls. Red: any function that moves user funds or updates critical accounting state makes an external call before completing state updates without a reentrancy guard.

**Common gray cases** Reentrancy guards are not meaningful for protocols with no external call paths (pure computation contracts). This factor is gray for simple token contracts or non-interactive computation modules.

**Notable historical examples** - **Compound Finance** ($147M, 2021): Permissionless state-refill function without reentrancy guard enabled the drip() attack. - **Makina Finance** ($4.13M, 2026): Reentrancy guard absent on permissionless state update function using external pool state.

Measurement what to look for #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

Data & output #

Data source
Slither `reentrancy-eth` + `reentrancy-no-eth` detectors on Etherscan-verified source
Output format
Green / Yellow / Red
Evidence artifact
Slither output JSON + list of flagged function names
Confidence signal
green = 0 reentrancy findings; yellow = findings present but only in low-TVL peripheral contracts; red = reentrancy finding in core (borrow/withdraw/mint) function; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-014
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum yellow Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum yellow Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum gray Orca solana gray PancakeSwap bsc green Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon green Raydium solana green Rocket Pool ethereum yellow Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum gray StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum gray Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum yellow
0 red · 26 yellow · 36 green

Linked hacks 2 historical incidents #

relatedMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · Reentrancy guard absence [via cross-hack: Factor 14: Public Permissionless Functions That Can Re-Trigger Vulnerable State]
illustrativeCompound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · Reentrancy guard absence [via cross-hack: Factor 14: Public Permissionless Functions That Can Re-Trigger Vulnerable State]
rubric_version v1.7.0 factor RD-F-014 category 1 carried 80 critical no