Reentrancy guard on external-calling functions

ether.fi's assessment for RD-F-014 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Hats Finance 2023-12 audit found reentrancy in LiquidityPool requestWithdraw (medium severity, reportedly remediated). Liquifier.sol uses nonReentrant on depositWithERC20() and unwrapL2Eth() but NOT on withdrawEther(), which makes an external call to the liquidity pool — a residual reentrancy surface. WithdrawRequestNFT uses checks-effects-interactions pattern correctly. Without full Slither run, exhaustive reentrancy coverage cannot be confirmed.

Sources #

Audit
Hats Finance — medium reentrancy in LiquidityPool requestWithdrawHats Finance 2023-12-20 (Markdown) — reentrancy finding in LiquidityPoolretrieved 2026-04-28
GitHub
Liquifier.sol — withdrawEther() lacks nonReentrantLiquifier.sol source inspectionretrieved 2026-04-28

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ether-fi factor RD-F-014 score yellow collected_at 2026-04-28 13:58:46