defirisk.co
rubric v1.7.0

Reentrancy guard on external-calling functions

Wormhole's assessment for RD-F-014 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

`Bridge.sol` uses ReentrancyGuard from OpenZeppelin (confirmed via Bridge.sol source inspection showing `ReentrancyGuard` and SafeERC20 patterns). CCTP bridge contracts confirmed to use `nonReentrant` modifier on `transferTokensWithPayload`. The core bridge message publication path does not perform external calls before state writes in the identified code. No reentrancy-related findings in accessible audit summaries.

Sources #

  • Curator note
    Extracted from 01-code-security.md — RD-F-014 finding; no URL cited in originalretrieved 2026-04-28

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-014 score green collected_at 2026-04-28 01:38:43