Reentrancy guard on external-calling functions

Yearn Finance's assessment for RD-F-014 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3 VaultV3.vy: @nonreentrant('lock') confirmed on update_debt() function per yAudit search results. Vyper 0.3.7 is OUTSIDE the reentrancy-affected range (0.2.15, 0.2.16, 0.3.0 only). V2 Vault.vy: @nonreentrant('withdraw') on deposit confirmed from source. V2 deployed Vyper versions (0.2.8, 0.2.12, 0.3.3) all outside the affected range. Partial confidence because exhaustive coverage of all state-mutating external calls across all strategy contracts is not confirmed from available sources.

Sources #

URL
Vyper Nonreentrancy Lock Vulnerability Technical Post-MortemVyper reentrancy postmortem — affected versions 0.2.15, 0.2.16, 0.3.0 onlyretrieved 2026-05-16
GitHub
Vault.vy V2 — @nonreentrant('withdraw') on deposit functionVault.vy V2 source — @nonreentrant on depositretrieved 2026-05-16
GitHub
VaultV3.vy — @nonreentrant('lock') on update_debt()VaultV3.vy source — @nonreentrant on update_debtretrieved 2026-05-16

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-014 score yellow collected_at 2026-05-16 08:34:32