ERC-777/1155/721 hook without reentrancy guard

Polymarket's assessment for RD-F-015 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CTFExchange V2 inherits ERC1155TokenReceiver and processes ERC-1155 callbacks. The V2 nonReentrant removal (see F014) means ERC-1155 callback paths are not guarded. However, only operators can initiate order matching, limiting attack surface. Cantina/Quantstamp audits reviewed and accepted this design.

Sources #

GitHub
CTF Exchange V2 ERC1155TokenReceiver mixinctf-exchange-v2/src/exchange/mixins/ERC1155TokenReceiver.solretrieved 2026-04-29

Methodology #

Determine whether the protocol integrates token standards with callbacks (ERC-777 tokensReceived, ERC-1155 onReceived, ERC-721 onReceived) without reentrancy guards on the affected functions.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-015 score yellow collected_at 2026-04-29 16:25:39