test Flow.flow nonReentrant guard via malicious token callback

[thedavidmeister]

Summary

Pins Flow.flow's nonReentrant guard. New test deploys a MaliciousReenteringToken whose transferFrom re-enters flow.flow(...) on the same flow contract and asserts the inner call reverts with the OZ ReentrancyGuardUpgradeable v4 string "ReentrancyGuard: reentrant call".

Mutation verified: dropping nonReentrant from Flow.flow makes the inner call succeed and the outer test fails (reverting with UnsupportedERC20Flow from a later branch instead of the reentrancy revert); reverting passes.

The malicious token contract lives in test/concrete/ per the project rule that test helper contracts are not inlined in test files.

This PR also resolves the empirical observation in #330 (Pass 5 mutation showed nonReentrant removal was uncaught by any test) by adding the test that catches it.

Closes #324 #330.

Test plan

• testFlowReentrancyGuardFiresOnTokenCallback — 100 fuzz runs
• mutation: drop nonReentrant from Flow.flow → test fails

🤖 Generated with Claude Code

Summary by CodeRabbit

• Tests
  • Added reentrancy protection test to verify security safeguards against malicious token callbacks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e42d0ad9-d11b-4ba9-8216-19ee169408d2

📥 Commits

Reviewing files that changed from the base of the PR and between ec7a7f7 and 1d7768a.

📒 Files selected for processing (2)

• test/concrete/MaliciousReenteringToken.sol
• test/src/concrete/Flow.transfer.t.sol

---

Walkthrough

This PR adds a test contract and test case to verify that Flow.flow's nonReentrant guard fires correctly when code re-enters the flow during an ERC20 transfer. A malicious token contract triggers reentry via its transferFrom callback; the test confirms the guard reverts the inner call.

Changes

Reentrancy Guard Test

Layer / File(s)	Summary
Malicious token contract and reentrancy test test/concrete/MaliciousReenteringToken.sol, test/src/concrete/Flow.transfer.t.sol	MaliciousReenteringToken stores a Flow reference and an EvaluableV2; its transferFrom re-enters Flow.flow to test the guard. testFlowReentrancyGuardFiresOnTokenCallback deploys a flow, wires the evaluable into the malicious token, runs flow with an ERC20 transfer of that token, and asserts the reentrant flow.flow call reverts with ReentrancyGuard: reentrant call.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• #324: Directly addresses the gap described in [A01-5] [LOW] flow nonReentrant guard untested — implements a reentrancy test for Flow.flow's nonReentrant decorator, using an ERC20 token approach instead of the proposed ERC1155 receiver, to verify the guard fires on reentry.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a test for the Flow.flow nonReentrant guard via a malicious token callback.
Linked Issues check	✅ Passed	The PR implements the core requirements from #324: adds a reentrancy test with a malicious token helper contract that re-enters flow during transferFrom, and asserts the nonReentrant guard fires with the correct OZ revert string.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to verifying the nonReentrant guard on Flow.flow as required by #324 and #330; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2026-05-05-issue-324-330-reentrancy-guard-test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}