📌 Description
commitment_marketplace documents a reentrancy guard on all external-call entry
points (DataKey::ReentrancyGuard), but contracts/commitment_marketplace/src/tests.rs
has no test that actually attempts a reentrant call through the token transfer in
buy_nft (line ~551) or accept_offer (line ~800). The guard is asserted but not
verified.
This issue adds malicious-token reentrancy regression tests.
🎯 Requirements and Context
- Use a malicious token mock whose
transfer re-enters the marketplace; assert ReentrancyDetected.
- Cover
buy_nft, accept_offer, end_auction, and the offer-cancel refund path.
- Assert guard is always reset after success and after revert (no stuck-locked state).
- No changes to production behaviour — tests only (unless a guard gap is found).
🛠️ Suggested Execution
1. Fork the repo and create a branch
git checkout -b test/marketplace-reentrancy
2. Implement changes
- Add a reentrant token mock and tests to
contracts/commitment_marketplace/src/tests.rs.
- Document findings in
docs/SECURITY_CHECKLIST.md.
3. Test and commit
- Run:
cargo test --target wasm32v1-none --release
- Edge cases: reentry on buy, on accept_offer, on end_auction, guard reset after revert.
Example commit message
test: reentrancy regression coverage for marketplace settlement
✅ Guidelines
- Minimum 95% test coverage on the guarded paths.
- Document the attack scenarios tested.
- Timeframe: 96 hours.
🏷️ Labels
type-testing · type-security · area-contracts · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN
💬 Community & Support
- Join the CommitLabs contributor Discord to coordinate and get unblocked fast: https://discord.gg/WV7tdYkJk
- Introduce yourself before starting to avoid duplicate work.
- Maintainers triage actively and review fast.
📌 Description
commitment_marketplacedocuments a reentrancy guard on all external-call entrypoints (
DataKey::ReentrancyGuard), butcontracts/commitment_marketplace/src/tests.rshas no test that actually attempts a reentrant call through the token transfer in
buy_nft(line ~551) oraccept_offer(line ~800). The guard is asserted but notverified.
This issue adds malicious-token reentrancy regression tests.
🎯 Requirements and Context
transferre-enters the marketplace; assertReentrancyDetected.buy_nft,accept_offer,end_auction, and the offer-cancel refund path.🛠️ Suggested Execution
1. Fork the repo and create a branch
2. Implement changes
contracts/commitment_marketplace/src/tests.rs.docs/SECURITY_CHECKLIST.md.3. Test and commit
cargo test --target wasm32v1-none --releaseExample commit message
✅ Guidelines
🏷️ Labels
type-testing·type-security·area-contracts·MAYBE REWARDED·GRANTFOX OSS·OFFICIAL CAMPAIGN💬 Community & Support