Reentrancy guard on external-calling functions

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-014 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

StabilityPool source inspection confirms no explicit nonReentrant modifier on functions that make external token transfers (boldToken.burn, collToken.safeTransfer). The collateral tokens (WETH, wstETH, rETH) are well-behaved ERC-20s with no reentrancy callbacks, making this a low-probability risk. Cantina 800-researcher competition and all other audits found no reentrancy exploit in core. Risk is partially mitigated by architecture, but absence of explicit guards is a yellow signal.

Sources #

GitHub
Liquity v2 StabilityPool.sol sourcev2 StabilityPool.sol — no explicit nonReentrant modifier visible on external-calling functionsretrieved 2026-05-16
Audit
Cantina v2 Audit Competition resultsCantina competition 0 critical/0 high — no reentrancy exploit foundretrieved 2026-05-16

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-014 score yellow collected_at 2026-05-16 10:35:50