Skip to content

test: cover marketplace token reentrancy#526

Closed
dangelo352 wants to merge 1 commit into
Commitlabs-Org:masterfrom
dangelo352:test/marketplace-reentrancy-479
Closed

test: cover marketplace token reentrancy#526
dangelo352 wants to merge 1 commit into
Commitlabs-Org:masterfrom
dangelo352:test/marketplace-reentrancy-479

Conversation

@dangelo352

@dangelo352 dangelo352 commented Jun 22, 2026

Copy link
Copy Markdown

Summary

  • Add a malicious payment-token mock that re-enters marketplace transfer paths
  • Cover guarded reentry during buy_nft, accept_offer, competing place_bid with previous-bid refund, and end_auction settlement
  • Assert the malicious token observed a nested guarded rejection and the marketplace reentrancy guard resets after the outer flow
  • Update SECURITY_CHECKLIST.md with the tested scenarios and note that current offer cancellation has no token refund transfer

Closes #479.

Tests

  • CARGO_TARGET_DIR=/tmp/commitlabs-market-reentry-target cargo test -p commitment-marketplace reentrant_payment_token -- --nocapture
  • CARGO_TARGET_DIR=/tmp/commitlabs-market-reentry-target cargo test -p commitment-marketplace reentrancy -- --nocapture
  • git diff --check

Note: the generated Soroban client exposes the nested guard rejection inside the mock token as an outer contract-call error; existing explicit guard tests in the same filter continue to assert MarketplaceError::ReentrancyDetected (#20) directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add reentrancy regression tests for commitment_marketplace::buy_nft and accept_offer

2 participants

@dangelo352 @1nonlypiece