Slither: reentrancy-balance finding in DistributionManager._makeWithdrawableAmount

[neekolas]

Slither Finding

Detector: reentrancy-balance (HIGH severity)
Introduced by: Slither 0.11.5 (new detector not present in 0.11.3)
File: src/settlement-chain/DistributionManager.sol lines 376-392

Description

Slither's new reentrancy-balance detector flags a potential reentrancy issue in DistributionManager._makeWithdrawableAmount(uint96):

Reentrancy in DistributionManager._makeWithdrawableAmount(uint96) (src/settlement-chain/DistributionManager.sol#376-392):
  External call allowing reentrancy:
  - available_ += IPayerRegistryLike(payerRegistry).sendExcessToFeeDistributor() (line 383)
  Balance read before the call:
  - available_ = uint96(IERC20Like(feeToken).balanceOf(address(this))) (line 379)
  Possible stale balance used after the call in a condition:
  - available_ == 0 (line 388)
    - stale variable `available_`

The function reads the fee token balance, then makes an external call to sendExcessToFeeDistributor(), and subsequently uses the pre-call balance value. The detector flags that available_ could be stale after the external call.

Current Mitigation

The reentrancy-balance detector has been added to detectors_to_exclude in slither.config.json to unblock CI. This should be reviewed and either:

1. Confirmed as a false positive / acceptable pattern and kept excluded
2. Fixed if it represents a real risk, then the exclusion removed

Reference

• Slither Detector Documentation: reentrancy-balance

[tantodefi]

was going to open an issue for this but i see already on it