Reentrancy guard on external-calling functions

Axelar Network's assessment for RD-F-014 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

AxelarGateway implements CEI pattern (mark-as-executed-first) rather than nonReentrant modifier. Code4rena 2023-07 found a reentrancy HIGH in ITS expressReceiveTokenWithData, which was remediated; Ackee 2025-01 post-remediation confirms fix. Current gateway core uses mark-before-execute for reentrancy protection. Yellow: historical high finding since resolved, and custom CEI approach without explicit nonReentrant guard.

Sources #

Audit
Ackee 2025-01 ITS Post-Remediation AuditAckee 2025-01 ITS audit confirming post-remediation stateretrieved 2026-05-17
Audit
Code4rena 2023-07 Axelar - Reentrancy High FindingCode4rena 2023-07: HIGH reentrancy in expressReceiveTokenWithDataretrieved 2026-05-17

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-014 score yellow collected_at 2026-05-16 21:57:49