Skip to content

[PT1-279] added maker to _reentrancyLocks mapping#25

Merged
BoogerWooger merged 1 commit intomainfrom
fix/aqua-app-reentrancy
Dec 23, 2025
Merged

[PT1-279] added maker to _reentrancyLocks mapping#25
BoogerWooger merged 1 commit intomainfrom
fix/aqua-app-reentrancy

Conversation

@Sunnesoft
Copy link
Contributor

No description provided.

@Sunnesoft Sunnesoft requested a review from Copilot December 5, 2025 15:03
@claude
Copy link

claude bot commented Dec 5, 2025

Claude finished @Sunnesoft's task —— View job


Code Review for PR #25: Added maker to _reentrancyLocks mapping

Todo List:

  • Read repository guidelines (CLAUDE.md)
  • Read and understand the modified files
  • Analyze the exact changes made
  • Check for security implications
  • Look for potential bugs or issues
  • Assess code quality and best practices
  • Check test coverage
  • Provide comprehensive review feedback

Summary

This PR adds the maker address as an additional key to the _reentrancyLocks mapping in AquaApp.sol, changing it from a single-level to a two-level mapping. This change provides per-maker reentrancy protection for strategies.

Changes Overview

  1. AquaApp.sol: Updated _reentrancyLocks mapping from mapping(bytes32 => TransientLock) to mapping(address => mapping(bytes32 => TransientLock))
  2. XYCSwap.sol: Updated modifier calls to include the strategy.maker parameter

Security Analysis ✅

Positive security improvements:

  • Enhanced isolation: Each maker now has their own reentrancy locks, preventing cross-maker reentrancy attacks
  • Strategy-specific protection: Maintains the existing per-strategy isolation while adding maker-level separation
  • Consistent validation: The _safeCheckAquaPush function correctly validates the lock state for the specific maker

This change improves security by ensuring that reentrancy locks are isolated per maker, preventing potential attack vectors where one maker's actions could interfere with another maker's strategy execution.

Code Quality Assessment

Strengths:

  • Clean and minimal changes
  • Consistent parameter ordering (maker first, then strategyHash)
  • Proper modifier usage maintained
  • Clear error handling preserved

Areas for improvement:

  1. Documentation: The comment on line 11-14 in AquaApp.sol should be updated to reflect the new signature:

    // Current: - modifier nonReentrantStrategy(keccak256(abi.encode(strategy)))
    // Should be: - modifier nonReentrantStrategy(strategy.maker, keccak256(abi.encode(strategy)))
  2. Migration considerations: If this contract is already deployed, existing integrations will break due to the changed modifier signature

Potential Issues

  1. Breaking change: This is a breaking change for any contracts inheriting from AquaApp that use the nonReentrantStrategy modifier
  2. Gas cost: Slightly increased gas cost due to additional storage slot access (minimal impact)

Test Coverage ⚠️

Critical finding: No test files were found for either AquaApp.sol or XYCSwap.sol. This is concerning for a security-critical component dealing with reentrancy protection.

Recommendation: Add comprehensive tests covering:

  • Multiple makers using the same strategy hash
  • Reentrancy attack scenarios
  • Edge cases with the new mapping structure
  • Integration tests for XYCSwap with multiple concurrent makers

Performance Considerations ✅

The additional mapping level adds minimal overhead:

  • One extra SLOAD/SSTORE per lock operation
  • Negligible impact on overall transaction cost
  • Benefits of improved security outweigh the minimal gas increase

Overall Assessment

This is a well-conceived security improvement that enhances isolation between different makers. The implementation is clean and consistent. However, the lack of test coverage for these critical components is a significant concern that should be addressed before merging.

Recommendations

  1. High priority: Add comprehensive test coverage for both AquaApp and XYCSwap
  2. Medium priority: Update the documentation comment in AquaApp.sol
  3. Consider: If this is a deployed contract, document the migration path for existing integrations

The changes themselves are solid and improve the security posture of the protocol. Once tests are added, this PR should be ready to merge.

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds maker address isolation to the reentrancy lock mechanism by introducing a nested mapping structure. This prevents different makers from interfering with each other's reentrancy protection when using the same strategy hash.

  • Modified _reentrancyLocks from a single mapping to a nested mapping indexed first by maker address
  • Updated nonReentrantStrategy modifier to accept and use the maker address parameter
  • Updated all usage sites to pass the maker address to the modifier

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/AquaApp.sol Modified reentrancy lock mapping to be nested by maker address and updated modifier signature
examples/apps/XYCSwap.sol Updated swap function calls to pass maker address to the reentrancy modifier

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Sunnesoft Sunnesoft requested review from SevenSwen and k06a December 5, 2025 15:08
@galekseev galekseev changed the title added maker to _reentrancyLocks mapping [PT1-279] added maker to _reentrancyLocks mapping Dec 9, 2025
@BoogerWooger BoogerWooger merged commit 0c90876 into main Dec 23, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants