Add note about ReimbursementPool reentrancy risk

keep-network · Mar 5, 2024 · 4aa0886 · 4aa0886
1 parent 59a337f
commit 4aa0886
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/solidity/contracts/l2/L1BitcoinDepositor.sol b/solidity/contracts/l2/L1BitcoinDepositor.sol
@@ -259,6 +259,10 @@ contract L1BitcoinDepositor is
 
         _transferTbtc(tbtcAmount, l2DepositOwner);
 
+        // `ReimbursementPool` calls the untrusted receiver address using a
+        // low-level call. Reentrancy risk is mitigated by making sure that
+        // `ReimbursementPool.refund` is a non-reentrant function and executing
+        // reimbursements as the last step of the deposit finalization.
         if (address(reimbursementPool) != address(0)) {
             // If there is a deferred reimbursement for this deposit
             // initialization, pay it out now.