feat: Add reentrancy locks in Spoke and NativeTokenGateway (#1073)

Author: avniculae

snapshots/NativeTokenGateway.Operations.json

@@ -1,8 +1,8 @@
 {
-  "borrowNative": "226775",
-  "repayNative": "165738",
-  "supplyAsCollateralNative": "159246",
-  "supplyNative": "135381",
-  "withdrawNative: full": "124624",
-  "withdrawNative: partial": "135579"
+  "borrowNative": "227643",
+  "repayNative": "166113",
+  "supplyAsCollateralNative": "159972",
+  "supplyNative": "135681",
+  "withdrawNative: full": "125318",
+  "withdrawNative: partial": "136447"
 }

snapshots/SignatureGateway.Operations.json

@@ -1,10 +1,10 @@
 {
-  "borrowWithSig": "212528",
-  "repayWithSig": "186080",
+  "borrowWithSig": "212903",
+  "repayWithSig": "186455",
   "setSelfAsUserPositionManagerWithSig": "74852",
-  "setUsingAsCollateralWithSig": "85012",
-  "supplyWithSig": "151642",
-  "updateUserDynamicConfigWithSig": "62750",
-  "updateUserRiskPremiumWithSig": "61732",
-  "withdrawWithSig": "130328"
+  "setUsingAsCollateralWithSig": "85363",
+  "supplyWithSig": "151942",
+  "updateUserDynamicConfigWithSig": "63101",
+  "updateUserRiskPremiumWithSig": "62083",
+  "withdrawWithSig": "130628"
 }

snapshots/Spoke.Operations.ZeroRiskPremium.json

@@ -1,33 +1,33 @@
 {
-  "borrow: first": "188895",
-  "borrow: second action, same reserve": "168844",
-  "liquidationCall (receiveShares): full": "294611",
-  "liquidationCall (receiveShares): partial": "294329",
-  "liquidationCall: full": "303896",
-  "liquidationCall: partial": "303614",
-  "permitReserve + repay (multicall)": "164002",
-  "permitReserve + supply (multicall)": "146269",
-  "permitReserve + supply + enable collateral (multicall)": "160321",
-  "repay: full": "123339",
-  "repay: partial": "128309",
+  "borrow: first": "189270",
+  "borrow: second action, same reserve": "169219",
+  "liquidationCall (receiveShares): full": "294986",
+  "liquidationCall (receiveShares): partial": "294704",
+  "liquidationCall: full": "304271",
+  "liquidationCall: partial": "303989",
+  "permitReserve + repay (multicall)": "164377",
+  "permitReserve + supply (multicall)": "146644",
+  "permitReserve + supply + enable collateral (multicall)": "161047",
+  "repay: full": "123714",
+  "repay: partial": "128684",
   "setUserPositionManagerWithSig: disable": "44889",
   "setUserPositionManagerWithSig: enable": "68930",
-  "supply + enable collateral (multicall)": "140501",
-  "supply: 0 borrows, collateral disabled": "122370",
-  "supply: 0 borrows, collateral enabled": "105341",
-  "supply: second action, same reserve": "105270",
-  "updateUserDynamicConfig: 1 collateral": "74176",
-  "updateUserDynamicConfig: 2 collaterals": "89081",
-  "updateUserRiskPremium: 1 borrow": "94409",
-  "updateUserRiskPremium: 2 borrows": "103544",
-  "usingAsCollateral: 0 borrows, enable": "59205",
-  "usingAsCollateral: 1 borrow, disable": "104524",
-  "usingAsCollateral: 1 borrow, enable": "42093",
-  "usingAsCollateral: 2 borrows, disable": "125620",
-  "usingAsCollateral: 2 borrows, enable": "42105",
-  "withdraw: 0 borrows, full": "127285",
-  "withdraw: 0 borrows, partial": "131971",
-  "withdraw: 1 borrow, partial": "158353",
-  "withdraw: 2 borrows, partial": "172459",
-  "withdraw: non collateral": "105240"
+  "supply + enable collateral (multicall)": "141227",
+  "supply: 0 borrows, collateral disabled": "122745",
+  "supply: 0 borrows, collateral enabled": "105716",
+  "supply: second action, same reserve": "105645",
+  "updateUserDynamicConfig: 1 collateral": "74527",
+  "updateUserDynamicConfig: 2 collaterals": "89432",
+  "updateUserRiskPremium: 1 borrow": "94760",
+  "updateUserRiskPremium: 2 borrows": "103895",
+  "usingAsCollateral: 0 borrows, enable": "59556",
+  "usingAsCollateral: 1 borrow, disable": "104875",
+  "usingAsCollateral: 1 borrow, enable": "42444",
+  "usingAsCollateral: 2 borrows, disable": "125971",
+  "usingAsCollateral: 2 borrows, enable": "42456",
+  "withdraw: 0 borrows, full": "127660",
+  "withdraw: 0 borrows, partial": "132346",
+  "withdraw: 1 borrow, partial": "158728",
+  "withdraw: 2 borrows, partial": "172834",
+  "withdraw: non collateral": "105615"
 }

snapshots/Spoke.Operations.json

@@ -1,33 +1,33 @@
 {
-  "borrow: first": "257798",
-  "borrow: second action, same reserve": "200747",
-  "liquidationCall (receiveShares): full": "326619",
-  "liquidationCall (receiveShares): partial": "326337",
-  "liquidationCall: full": "335904",
-  "liquidationCall: partial": "335622",
-  "permitReserve + repay (multicall)": "161585",
-  "permitReserve + supply (multicall)": "146269",
-  "permitReserve + supply + enable collateral (multicall)": "160321",
-  "repay: full": "117418",
-  "repay: partial": "136788",
+  "borrow: first": "258173",
+  "borrow: second action, same reserve": "201122",
+  "liquidationCall (receiveShares): full": "326994",
+  "liquidationCall (receiveShares): partial": "326712",
+  "liquidationCall: full": "336279",
+  "liquidationCall: partial": "335997",
+  "permitReserve + repay (multicall)": "161885",
+  "permitReserve + supply (multicall)": "146644",
+  "permitReserve + supply + enable collateral (multicall)": "161047",
+  "repay: full": "117793",
+  "repay: partial": "137163",
   "setUserPositionManagerWithSig: disable": "44889",
   "setUserPositionManagerWithSig: enable": "68930",
-  "supply + enable collateral (multicall)": "140501",
-  "supply: 0 borrows, collateral disabled": "122370",
-  "supply: 0 borrows, collateral enabled": "105341",
-  "supply: second action, same reserve": "105270",
-  "updateUserDynamicConfig: 1 collateral": "74176",
-  "updateUserDynamicConfig: 2 collaterals": "89081",
-  "updateUserRiskPremium: 1 borrow": "147733",
-  "updateUserRiskPremium: 2 borrows": "197440",
-  "usingAsCollateral: 0 borrows, enable": "59205",
-  "usingAsCollateral: 1 borrow, disable": "157848",
-  "usingAsCollateral: 1 borrow, enable": "42093",
-  "usingAsCollateral: 2 borrows, disable": "227516",
-  "usingAsCollateral: 2 borrows, enable": "42105",
-  "withdraw: 0 borrows, full": "127285",
-  "withdraw: 0 borrows, partial": "131971",
-  "withdraw: 1 borrow, partial": "209175",
-  "withdraw: 2 borrows, partial": "254888",
-  "withdraw: non collateral": "105240"
+  "supply + enable collateral (multicall)": "141227",
+  "supply: 0 borrows, collateral disabled": "122745",
+  "supply: 0 borrows, collateral enabled": "105716",
+  "supply: second action, same reserve": "105645",
+  "updateUserDynamicConfig: 1 collateral": "74527",
+  "updateUserDynamicConfig: 2 collaterals": "89432",
+  "updateUserRiskPremium: 1 borrow": "148084",
+  "updateUserRiskPremium: 2 borrows": "197791",
+  "usingAsCollateral: 0 borrows, enable": "59556",
+  "usingAsCollateral: 1 borrow, disable": "158199",
+  "usingAsCollateral: 1 borrow, enable": "42444",
+  "usingAsCollateral: 2 borrows, disable": "227867",
+  "usingAsCollateral: 2 borrows, enable": "42456",
+  "withdraw: 0 borrows, full": "127660",
+  "withdraw: 0 borrows, partial": "132346",
+  "withdraw: 1 borrow, partial": "209550",
+  "withdraw: 2 borrows, partial": "255263",
+  "withdraw: non collateral": "105615"
 }

src/position-manager/NativeTokenGateway.sol

@@ -70,7 +70,7 @@ contract NativeTokenGateway is INativeTokenGateway, GatewayBase, ReentrancyGuard
     address spoke,
     uint256 reserveId,
     uint256 amount
-  ) external onlyRegisteredSpoke(spoke) returns (uint256, uint256) {
+  ) external nonReentrant onlyRegisteredSpoke(spoke) returns (uint256, uint256) {
     address underlying = _getReserveUnderlying(spoke, reserveId);
     _validateParams(underlying, amount);
 
@@ -90,7 +90,7 @@ contract NativeTokenGateway is INativeTokenGateway, GatewayBase, ReentrancyGuard
     address spoke,
     uint256 reserveId,
     uint256 amount
-  ) external onlyRegisteredSpoke(spoke) returns (uint256, uint256) {
+  ) external nonReentrant onlyRegisteredSpoke(spoke) returns (uint256, uint256) {
     address underlying = _getReserveUnderlying(spoke, reserveId);
     _validateParams(underlying, amount);
 

src/spoke/Spoke.sol

@@ -5,6 +5,7 @@ pragma solidity 0.8.28;
 import {SafeCast} from 'src/dependencies/openzeppelin/SafeCast.sol';
 import {SafeERC20, IERC20} from 'src/dependencies/openzeppelin/SafeERC20.sol';
 import {IERC20Permit} from 'src/dependencies/openzeppelin/IERC20Permit.sol';
+import {ReentrancyGuardTransient} from 'src/dependencies/openzeppelin/ReentrancyGuardTransient.sol';
 import {AccessManagedUpgradeable} from 'src/dependencies/openzeppelin-upgradeable/AccessManagedUpgradeable.sol';
 import {MathUtils} from 'src/libraries/math/MathUtils.sol';
 import {PercentageMath} from 'src/libraries/math/PercentageMath.sol';
@@ -24,7 +25,13 @@ import {ISpokeBase, ISpoke} from 'src/spoke/interfaces/ISpoke.sol';
 /// @author Aave Labs
 /// @notice Handles risk configuration & borrowing strategy for reserves and user positions.
 /// @dev Each reserve can be associated with a separate Hub.
-abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Multicall {
+abstract contract Spoke is
+  ISpoke,
+  AccessManagedUpgradeable,
+  IntentConsumer,
+  Multicall,
+  ReentrancyGuardTransient
+{
   using SafeCast for *;
   using SafeERC20 for IERC20;
   using MathUtils for *;
@@ -229,7 +236,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
     uint256 reserveId,
     uint256 amount,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
     Reserve storage reserve = _getReserve(reserveId);
     UserPosition storage userPosition = _userPositions[onBehalfOf][reserveId];
     _validateSupply(reserve.flags);
@@ -248,7 +255,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
     uint256 reserveId,
     uint256 amount,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
     Reserve storage reserve = _getReserve(reserveId);
     UserPosition storage userPosition = _userPositions[onBehalfOf][reserveId];
     _validateWithdraw(reserve.flags);
@@ -278,7 +285,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
     uint256 reserveId,
     uint256 amount,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
     Reserve storage reserve = _getReserve(reserveId);
     UserPosition storage userPosition = _userPositions[onBehalfOf][reserveId];
     PositionStatus storage positionStatus = _positionStatus[onBehalfOf];
@@ -304,7 +311,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
     uint256 reserveId,
     uint256 amount,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
     Reserve storage reserve = _getReserve(reserveId);
     UserPosition storage userPosition = _userPositions[onBehalfOf][reserveId];
     _validateRepay(reserve.flags);
@@ -348,7 +355,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
     address user,
     uint256 debtToCover,
     bool receiveShares
-  ) external {
+  ) external nonReentrant {
     Reserve storage collateralReserve = _getReserve(collateralReserveId);
     Reserve storage debtReserve = _getReserve(debtReserveId);
     DynamicReserveConfig storage collateralDynConfig = _dynamicConfig[collateralReserveId][
@@ -402,7 +409,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
     uint256 reserveId,
     bool usingAsCollateral,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) {
     _validateSetUsingAsCollateral(_getReserve(reserveId).flags, usingAsCollateral);
     PositionStatus storage positionStatus = _positionStatus[onBehalfOf];
 
@@ -422,7 +429,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
   }
 
   /// @inheritdoc ISpoke
-  function updateUserRiskPremium(address onBehalfOf) external {
+  function updateUserRiskPremium(address onBehalfOf) external nonReentrant {
     if (!_isPositionManager({user: onBehalfOf, manager: msg.sender})) {
       _checkCanCall(msg.sender, msg.data);
     }
@@ -431,7 +438,7 @@ abstract contract Spoke is ISpoke, AccessManagedUpgradeable, IntentConsumer, Mul
   }
 
   /// @inheritdoc ISpoke
-  function updateUserDynamicConfig(address onBehalfOf) external {
+  function updateUserDynamicConfig(address onBehalfOf) external nonReentrant {
     if (!_isPositionManager({user: onBehalfOf, manager: msg.sender})) {
       _checkCanCall(msg.sender, msg.data);
     }

tests/Base.t.sol

@@ -15,6 +15,7 @@ import {
   TransparentUpgradeableProxy,
   ITransparentUpgradeableProxy
 } from 'src/dependencies/openzeppelin/TransparentUpgradeableProxy.sol';
+import {ReentrancyGuardTransient} from 'src/dependencies/openzeppelin/ReentrancyGuardTransient.sol';
 import {IERC20Metadata} from 'src/dependencies/openzeppelin/IERC20Metadata.sol';
 import {SafeCast} from 'src/dependencies/openzeppelin/SafeCast.sol';
 import {IERC20Errors} from 'src/dependencies/openzeppelin/IERC20Errors.sol';
@@ -88,6 +89,7 @@ import {MockSpoke} from 'tests/mocks/MockSpoke.sol';
 import {MockERC1271Wallet} from 'tests/mocks/MockERC1271Wallet.sol';
 import {MockSpokeInstance} from 'tests/mocks/MockSpokeInstance.sol';
 import {MockSkimSpoke} from 'tests/mocks/MockSkimSpoke.sol';
+import {MockReentrantCaller} from 'tests/mocks/MockReentrantCaller.sol';
 import {ISpokeInstance} from 'tests/mocks/ISpokeInstance.sol';
 import {DeployWrapper} from 'tests/mocks/DeployWrapper.sol';
 

tests/mocks/MockReentrantCaller.sol

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: UNLICENSED
+// Copyright (c) 2025 Aave Labs
+pragma solidity ^0.8.0;
+
+import {Address} from 'src/dependencies/openzeppelin/Address.sol';
+
+contract MockReentrantCaller {
+  using Address for address;
+
+  address public immutable TARGET;
+  bytes4 public immutable TARGET_SELECTOR;
+
+  constructor(address target, bytes4 targetSelector) {
+    TARGET = target;
+    TARGET_SELECTOR = targetSelector;
+  }
+
+  fallback() external {
+    TARGET.functionCall(bytes.concat(TARGET_SELECTOR, new bytes(1000)));
+  }
+}