security-enhance: add ReentrancyGuard to contracts

[adu-web3]

Description

closes: #28

slither complains about some reentrancy issues though most of external calls our contracts make are calling whitelisted token contracts. It's better that we add ReentrancyGuard to existing contracts, especially contracts that provide user facing functions and add nonReentrant modifier to those functions that would make external calls(to some ERC20 token, or even to layerzero endpoint).

Summary by CodeRabbit

• New Features

  • Enhanced security by integrating reentrancy protection across multiple contracts.

• Improvements

  • Implemented nonReentrant modifier in key functions to prevent reentrancy attacks.

• Security

  • Added ReentrancyGuardUpgradeable to various contracts for increased security measures.

[coderabbitai]

Warning

Review failed

The pull request is closed.

Walkthrough

The recent changes introduce the ReentrancyGuardUpgradeable contract to enhance security against reentrancy attacks across multiple contracts. Key functions within these contracts now use the nonReentrant modifier to prevent potential vulnerabilities. Changes impacted BaseRestakingController, Bootstrap, ClientChainGateway, ExocoreGateway, LSTRestakingController, and NativeRestakingController contracts, fortifying the protocol's integrity.

Changes

File	Change Summary
src/core/BaseRestakingController.sol	Inherited ReentrancyGuardUpgradeable, added nonReentrant to multiple functions
src/core/Bootstrap.sol	Added the __ReentrancyGuard_init_unchained() function
src/core/ClientChainGateway.sol	Added __ReentrancyGuard_init_unchained() to constructor and nonReentrant to addWhitelistTokens
src/core/ExocoreGateway.sol	Inherited ReentrancyGuardUpgradeable, added initializers, and nonReentrant to two functions
src/core/LSTRestakingController.sol	Inherited ReentrancyGuardUpgradeable, added nonReentrant to three functions
src/core/NativeRestakingController.sol	Added ReentrancyGuardUpgradeable, added nonReentrant to various functions

Sequence Diagram(s)

No sequence diagrams needed due to the nature of the changes.

Assessment against linked issues

Objective	Addressed	Explanation
Review and add reentrance guards to gateways (#28)	✅

Poem

In the world of code so bright,
Security took flight,
Guards set to watch the gate,
Reentrancy met its fate.
Functions now stand tall,
Safe and secure for all,
Cheers from the rabbit, big and small! 🐇🎉

---

Tip

Early access features: enabled

We are currently testing the following features in early access:

• OpenAI gpt-4o model for code reviews and chat: OpenAI claims that this model is better at understanding and generating code than the previous models. We seek your feedback over the next few weeks before making it generally available.

Note:

• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.
• Please join our Discord Community to provide feedback and report issues.
• OSS projects are currently opted into early access features by default.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between acf8d2f and 017a22a.

Files selected for processing (6)

• src/core/BaseRestakingController.sol (4 hunks)
• src/core/Bootstrap.sol (1 hunks)
• src/core/ClientChainGateway.sol (2 hunks)
• src/core/ExocoreGateway.sol (4 hunks)
• src/core/LSTRestakingController.sol (4 hunks)
• src/core/NativeRestakingController.sol (4 hunks)

Additional comments not posted (21)

src/core/LSTRestakingController.sol (5)

11-16: The inheritance of ReentrancyGuardUpgradeable is correctly implemented to enhance security against reentrancy attacks.

---

24-24: The addition of the nonReentrant modifier to the deposit function is appropriate given that it involves external calls and state changes which could be susceptible to reentrancy attacks.

---

41-41: The nonReentrant modifier on withdrawPrincipalFromExocore is correctly applied, protecting against potential reentrancy vulnerabilities during the withdrawal process.

---

56-56: Applying the nonReentrant modifier to withdrawRewardFromExocore is crucial for preventing reentrancy attacks during reward withdrawal operations.

---

72-72: The nonReentrant modifier on depositThenDelegateTo function ensures that the delegation process is protected against reentrancy, which is particularly important given the external interactions in this function.

src/core/BaseRestakingController.sol (4)

11-15: The inheritance of ReentrancyGuardUpgradeable in BaseRestakingController is correctly implemented, aligning with best practices for securing contracts against reentrancy attacks.

---

30-30: The nonReentrant modifier on the claim function is aptly added to safeguard the claiming process, which involves external calls and critical state changes.

---

50-50: Correct application of the nonReentrant modifier on delegateTo function to mitigate potential reentrancy issues during the delegation of responsibilities.

---

65-65: The inclusion of the nonReentrant modifier on undelegateFrom ensures the security of the undelegation process from reentrancy attacks, especially given the external interactions involved.

src/core/NativeRestakingController.sol (4)

11-16: Inheritance of ReentrancyGuardUpgradeable in NativeRestakingController is correctly implemented, ensuring enhanced security against reentrancy attacks.

---

27-27: The nonReentrant modifier on the stake function is appropriately added to protect the staking process from reentrancy vulnerabilities, especially given the external interactions and state changes involved.

---

64-64: Proper use of the nonReentrant modifier in depositBeaconChainValidator to secure the deposit process against potential reentrancy attacks.

---

81-81: The nonReentrant modifier is correctly applied to both processBeaconChainPartialWithdrawal and processBeaconChainFullWithdrawal, ensuring these sensitive operations are protected from reentrancy attacks.

Also applies to: 88-88

src/core/ClientChainGateway.sol (2)

87-87: The initialization of ReentrancyGuard (__ReentrancyGuard_init_unchained) in the ClientChainGateway constructor is correctly implemented, ensuring that the contract is protected from the start.

---

123-123: Application of the nonReentrant modifier on addWhitelistTokens is crucial for preventing reentrancy attacks during the token whitelisting process, which could involve multiple state changes and external interactions.

src/core/ExocoreGateway.sol (5)

25-25: Import of ReentrancyGuardUpgradeable is correctly placed and follows Solidity's best practices for import ordering.

---

31-31: Inheritance from ReentrancyGuardUpgradeable is correctly added to enable the use of the nonReentrant modifier in necessary functions.

---

65-65: The call to __ReentrancyGuard_init_unchained() is appropriately placed in the initialize function to ensure the reentrancy guard is initialized before any interactions.

---

100-100: The addition of the nonReentrant modifier to markBootstrapOnAllChains is crucial for preventing reentrancy attacks, especially since this function interacts with external contracts.

---

151-157: The application of the nonReentrant modifier to _lzReceive, an internal function overridden to handle incoming LayerZero messages, is a critical security enhancement. Ensure that any external interaction patterns within this function are reviewed for potential reentrancy vectors.

src/core/Bootstrap.sol (1)

84-84: The initialization of ReentrancyGuardUpgradeable in the initialize function of the Bootstrap contract is correctly implemented. This setup ensures that the reentrancy guard is active before any state-changing operations occur.

[MaxMustermann2]

Should we add a slither CI ?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@adu-web3, I've created the issue to add Slither CI to the CI/CD pipeline as you requested. You can track the progress and further details here: Issue #38.

Analysis chain

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Create a GitHub issue for adding Slither CI to the CI/CD pipeline
gh issue create \
  --title "Add Slither CI to the CI/CD pipeline" \
  --body "This issue is to track the addition of Slither, a static analysis tool, to our CI/CD pipeline to enhance security by regularly checking for vulnerabilities as discussed in https://github.com/ExocoreNetwork/exocore-contracts/pull/35." \
  --assignee adu-web3

Length of output: 388

[adu-web3]

Tip

For best results, initiate chat on the files or code changes.

@adu-web3, I've created the issue to add Slither CI to the CI/CD pipeline as you requested. You can track the progress and further details here: Issue #38.

Analysis chain
Scripts executed

@MaxMustermann2 have created the issue, don't worry, I'll close it

[bwhour]

it looks good.