Reentrancy guard on external-calling functions

Pendle Finance's assessment for RD-F-014 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No explicit nonReentrant modifier visible in inspected router action contracts (ActionAddRemoveLiqV3, TokenHelper). Protocol relies on checks-effects-interactions pattern. Penpie exploit (Sept 2024) involved reentrancy in Penpie's code, NOT Pendle core. Multiple audits covered this area without flagging unresolved reentrancy in core.

Sources #

GitHub
TokenHelper.sol source (no nonReentrant)TokenHelper.sol — no reentrancy guardretrieved 2026-04-29
URL
Penpie reentrancy exploit analysis — ThreeSigmaThreeSigma Penpie reentrancy analysisretrieved 2026-04-29

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-014 score yellow collected_at 2026-04-28 21:09:40