feat: add reentrancy locks in spoke

Author: avniculae

snapshots/NativeTokenGateway.Operations.json

@@ -1,8 +1,8 @@
 {
-  "borrowNative": "229316",
-  "repayNative": "168024",
-  "supplyAsCollateralNative": "160373",
+  "borrowNative": "229792",
+  "repayNative": "168492",
+  "supplyAsCollateralNative": "160402",
   "supplyNative": "136476",
-  "withdrawNative: full": "125620",
-  "withdrawNative: partial": "136825"
+  "withdrawNative: full": "125996",
+  "withdrawNative: partial": "137294"
 }

snapshots/SignatureGateway.Operations.json

@@ -1,10 +1,10 @@
 {
-  "borrowWithSig": "215605",
-  "repayWithSig": "188872",
+  "borrowWithSig": "216081",
+  "repayWithSig": "189340",
   "setSelfAsUserPositionManagerWithSig": "75402",
-  "setUsingAsCollateralWithSig": "85053",
+  "setUsingAsCollateralWithSig": "85082",
   "supplyWithSig": "153205",
-  "updateUserDynamicConfigWithSig": "62769",
-  "updateUserRiskPremiumWithSig": "61579",
-  "withdrawWithSig": "131696"
+  "updateUserDynamicConfigWithSig": "63235",
+  "updateUserRiskPremiumWithSig": "62045",
+  "withdrawWithSig": "132071"
 }

snapshots/Spoke.Getters.json

@@ -1,7 +1,7 @@
 {
   "getUserAccountData: supplies: 0, borrows: 0": "11937",
   "getUserAccountData: supplies: 1, borrows: 0": "48600",
-  "getUserAccountData: supplies: 2, borrows: 0": "80378",
+  "getUserAccountData: supplies: 2, borrows: 0": "80379",
   "getUserAccountData: supplies: 2, borrows: 1": "100166",
-  "getUserAccountData: supplies: 2, borrows: 2": "118596"
+  "getUserAccountData: supplies: 2, borrows: 2": "118595"
 }

snapshots/Spoke.Operations.ZeroRiskPremium.json

@@ -1,33 +1,33 @@
 {
-  "borrow: first": "191325",
-  "borrow: second action, same reserve": "171297",
-  "liquidationCall (receiveShares): full": "300103",
-  "liquidationCall (receiveShares): partial": "299821",
-  "liquidationCall: full": "310468",
-  "liquidationCall: partial": "310186",
-  "permitReserve + repay (multicall)": "166029",
+  "borrow: first": "191801",
+  "borrow: second action, same reserve": "171773",
+  "liquidationCall (receiveShares): full": "300568",
+  "liquidationCall (receiveShares): partial": "300286",
+  "liquidationCall: full": "310933",
+  "liquidationCall: partial": "310651",
+  "permitReserve + repay (multicall)": "166498",
   "permitReserve + supply (multicall)": "146862",
-  "permitReserve + supply + enable collateral (multicall)": "160573",
-  "repay: full": "126094",
-  "repay: partial": "130983",
+  "permitReserve + supply + enable collateral (multicall)": "160602",
+  "repay: full": "126563",
+  "repay: partial": "131452",
   "setUserPositionManagerWithSig: disable": "44846",
   "setUserPositionManagerWithSig: enable": "68875",
-  "supply + enable collateral (multicall)": "140624",
+  "supply + enable collateral (multicall)": "140653",
   "supply: 0 borrows, collateral disabled": "123679",
   "supply: 0 borrows, collateral enabled": "106601",
   "supply: second action, same reserve": "106579",
-  "updateUserDynamicConfig: 1 collateral": "73694",
-  "updateUserDynamicConfig: 2 collaterals": "88551",
-  "updateUserRiskPremium: 1 borrow": "94804",
-  "updateUserRiskPremium: 2 borrows": "104619",
-  "usingAsCollateral: 0 borrows, enable": "58915",
-  "usingAsCollateral: 1 borrow, disable": "105072",
-  "usingAsCollateral: 1 borrow, enable": "41803",
-  "usingAsCollateral: 2 borrows, disable": "126055",
-  "usingAsCollateral: 2 borrows, enable": "41815",
-  "withdraw: 0 borrows, full": "128910",
-  "withdraw: 0 borrows, partial": "133473",
-  "withdraw: 1 borrow, partial": "161036",
-  "withdraw: 2 borrows, partial": "174214",
-  "withdraw: non collateral": "106544"
+  "updateUserDynamicConfig: 1 collateral": "74160",
+  "updateUserDynamicConfig: 2 collaterals": "89018",
+  "updateUserRiskPremium: 1 borrow": "95269",
+  "updateUserRiskPremium: 2 borrows": "105083",
+  "usingAsCollateral: 0 borrows, enable": "58944",
+  "usingAsCollateral: 1 borrow, disable": "105576",
+  "usingAsCollateral: 1 borrow, enable": "41832",
+  "usingAsCollateral: 2 borrows, disable": "126558",
+  "usingAsCollateral: 2 borrows, enable": "41844",
+  "withdraw: 0 borrows, full": "129379",
+  "withdraw: 0 borrows, partial": "133942",
+  "withdraw: 1 borrow, partial": "161504",
+  "withdraw: 2 borrows, partial": "174681",
+  "withdraw: non collateral": "107013"
 }

snapshots/Spoke.Operations.json

@@ -1,33 +1,33 @@
 {
-  "borrow: first": "261721",
-  "borrow: second action, same reserve": "204693",
-  "liquidationCall (receiveShares): full": "333666",
-  "liquidationCall (receiveShares): partial": "333384",
-  "liquidationCall: full": "344031",
-  "liquidationCall: partial": "343749",
-  "permitReserve + repay (multicall)": "163273",
+  "borrow: first": "262197",
+  "borrow: second action, same reserve": "205169",
+  "liquidationCall (receiveShares): full": "334131",
+  "liquidationCall (receiveShares): partial": "333849",
+  "liquidationCall: full": "344496",
+  "liquidationCall: partial": "344214",
+  "permitReserve + repay (multicall)": "163648",
   "permitReserve + supply (multicall)": "146862",
-  "permitReserve + supply + enable collateral (multicall)": "160573",
-  "repay: full": "120256",
-  "repay: partial": "139545",
+  "permitReserve + supply + enable collateral (multicall)": "160602",
+  "repay: full": "120725",
+  "repay: partial": "140014",
   "setUserPositionManagerWithSig: disable": "44846",
   "setUserPositionManagerWithSig: enable": "68875",
-  "supply + enable collateral (multicall)": "140624",
+  "supply + enable collateral (multicall)": "140653",
   "supply: 0 borrows, collateral disabled": "123679",
   "supply: 0 borrows, collateral enabled": "106601",
   "supply: second action, same reserve": "106579",
-  "updateUserDynamicConfig: 1 collateral": "73694",
-  "updateUserDynamicConfig: 2 collaterals": "88551",
-  "updateUserRiskPremium: 1 borrow": "151080",
-  "updateUserRiskPremium: 2 borrows": "204276",
-  "usingAsCollateral: 0 borrows, enable": "58915",
-  "usingAsCollateral: 1 borrow, disable": "161348",
-  "usingAsCollateral: 1 borrow, enable": "41803",
-  "usingAsCollateral: 2 borrows, disable": "233712",
-  "usingAsCollateral: 2 borrows, enable": "41815",
-  "withdraw: 0 borrows, full": "128910",
-  "withdraw: 0 borrows, partial": "133473",
-  "withdraw: 1 borrow, partial": "214810",
-  "withdraw: 2 borrows, partial": "259272",
-  "withdraw: non collateral": "106544"
+  "updateUserDynamicConfig: 1 collateral": "74160",
+  "updateUserDynamicConfig: 2 collaterals": "89018",
+  "updateUserRiskPremium: 1 borrow": "151545",
+  "updateUserRiskPremium: 2 borrows": "204740",
+  "usingAsCollateral: 0 borrows, enable": "58944",
+  "usingAsCollateral: 1 borrow, disable": "161852",
+  "usingAsCollateral: 1 borrow, enable": "41832",
+  "usingAsCollateral: 2 borrows, disable": "234215",
+  "usingAsCollateral: 2 borrows, enable": "41844",
+  "withdraw: 0 borrows, full": "129379",
+  "withdraw: 0 borrows, partial": "133942",
+  "withdraw: 1 borrow, partial": "215278",
+  "withdraw: 2 borrows, partial": "259739",
+  "withdraw: non collateral": "107013"
 }

src/dependencies/openzeppelin/ReentrancyGuardTransient.sol

@@ -37,6 +37,20 @@ abstract contract ReentrancyGuardTransient {
     _nonReentrantAfter();
   }
 
+  /**
+   * @dev Variant of {nonReentrant} that only enforces the guard if `condition` is true.
+   * @param condition The condition to check.
+   */
+  modifier nonReentrantConditional(bool condition) {
+    if (condition) {
+      _nonReentrantBefore();
+      _;
+      _nonReentrantAfter();
+    } else {
+      _;
+    }
+  }
+
   function _nonReentrantBefore() private {
     // On the first call to nonReentrant, REENTRANCY_GUARD_STORAGE.asBoolean().tload() will be false
     if (_reentrancyGuardEntered()) {

src/spoke/Spoke.sol

@@ -6,6 +6,7 @@ import {SafeCast} from 'src/dependencies/openzeppelin/SafeCast.sol';
 import {SafeERC20, IERC20} from 'src/dependencies/openzeppelin/SafeERC20.sol';
 import {IERC20Permit} from 'src/dependencies/openzeppelin/IERC20Permit.sol';
 import {SignatureChecker} from 'src/dependencies/openzeppelin/SignatureChecker.sol';
+import {ReentrancyGuardTransient} from 'src/dependencies/openzeppelin/ReentrancyGuardTransient.sol';
 import {AccessManagedUpgradeable} from 'src/dependencies/openzeppelin-upgradeable/AccessManagedUpgradeable.sol';
 import {EIP712} from 'src/dependencies/solady/EIP712.sol';
 import {MathUtils} from 'src/libraries/math/MathUtils.sol';
@@ -26,7 +27,7 @@ import {ISpokeBase, ISpoke} from 'src/spoke/interfaces/ISpoke.sol';
 /// @author Aave Labs
 /// @notice Handles risk configuration & borrowing strategy for reserves and user positions.
 /// @dev Each reserve can be associated with a separate Hub.
-abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradeable, EIP712 {
+abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradeable, ReentrancyGuardTransient, EIP712 {
   using SafeCast for *;
   using SafeERC20 for IERC20;
   using MathUtils for *;
@@ -250,7 +251,7 @@ abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradea
     uint256 reserveId,
     uint256 amount,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
     Reserve storage reserve = _getReserve(reserveId);
     UserPosition storage userPosition = _userPositions[onBehalfOf][reserveId];
     _validateWithdraw(reserve.flags);
@@ -280,7 +281,7 @@ abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradea
     uint256 reserveId,
     uint256 amount,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
     Reserve storage reserve = _getReserve(reserveId);
     UserPosition storage userPosition = _userPositions[onBehalfOf][reserveId];
     PositionStatus storage positionStatus = _positionStatus[onBehalfOf];
@@ -306,7 +307,7 @@ abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradea
     uint256 reserveId,
     uint256 amount,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
+  ) external nonReentrant onlyPositionManager(onBehalfOf) returns (uint256, uint256) {
     Reserve storage reserve = _getReserve(reserveId);
     UserPosition storage userPosition = _userPositions[onBehalfOf][reserveId];
     _validateRepay(reserve.flags);
@@ -350,7 +351,7 @@ abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradea
     address user,
     uint256 debtToCover,
     bool receiveShares
-  ) external {
+  ) external nonReentrant {
     Reserve storage collateralReserve = _getReserve(collateralReserveId);
     Reserve storage debtReserve = _getReserve(debtReserveId);
     DynamicReserveConfig storage collateralDynConfig = _dynamicConfig[collateralReserveId][
@@ -404,7 +405,7 @@ abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradea
     uint256 reserveId,
     bool usingAsCollateral,
     address onBehalfOf
-  ) external onlyPositionManager(onBehalfOf) {
+  ) external nonReentrantConditional(!usingAsCollateral) onlyPositionManager(onBehalfOf) {
     _validateSetUsingAsCollateral(_getReserve(reserveId).flags, usingAsCollateral);
     PositionStatus storage positionStatus = _positionStatus[onBehalfOf];
 
@@ -424,7 +425,7 @@ abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradea
   }
 
   /// @inheritdoc ISpoke
-  function updateUserRiskPremium(address onBehalfOf) external {
+  function updateUserRiskPremium(address onBehalfOf) external nonReentrant {
     if (!_isPositionManager({user: onBehalfOf, manager: msg.sender})) {
       _checkCanCall(msg.sender, msg.data);
     }
@@ -433,7 +434,7 @@ abstract contract Spoke is ISpoke, Multicall, NoncesKeyed, AccessManagedUpgradea
   }
 
   /// @inheritdoc ISpoke
-  function updateUserDynamicConfig(address onBehalfOf) external {
+  function updateUserDynamicConfig(address onBehalfOf) external nonReentrant {
     if (!_isPositionManager({user: onBehalfOf, manager: msg.sender})) {
       _checkCanCall(msg.sender, msg.data);
     }