Document erc4626 hooks reentrancy potential (#1449)

* Release v2.0.0-alpha.1 (#1423)

* Add version changelog

* Bump version to 2.0.0-alpha.1 and update presets page

* Bump snforge to 0.42.0 (#1429)

* Bump snforge to 0.42.0

* Add changelog entry

* Support snforge changes in tests

* Fix expected error messages

* Release openzeppelin_testing v4.0.0 (#1430)

* Add new version to the changelog

* Bump openzeppelin_testing version to 4.0.0 and update docs

* add docs badge (#1435)

* Chore(deps): Bump DavidAnson/markdownlint-cli2-action (#1434)

Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 19.1.0 to 20.0.0.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](DavidAnson/markdownlint-cli2-action@05f3221...992badc)

---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
  dependency-version: 20.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix broken Components chapter link (#1433)

* Bump snforge to 0.43.1 (#1436)

* Bump snforge to 0.43.1

* Add changelog entry

* Release openzeppelin_testing v4.0.1 (#1438)

* Add changelog for openzeppelin_testing v4.0.1

* Bump openzeppelin_testing version to 4.0.1 and update docs

* Bump snforge to 0.44.0 (#1439)

* Bump snforge to 0.44.0

* Add changelog entry for new version of openzeppelin_testing

* Release openzeppelin_testing v4.1.0 (#1442)

* Add version changelog for openzeppelin_testing 4.1.0

* Bump openzeppelin_testing version to 4.1.0 and update docs

* Chore(deps): Bump crate-ci/typos from 1.31.1 to 1.33.1 (#1448)

Bumps [crate-ci/typos](https://github.com/crate-ci/typos) from 1.31.1 to 1.33.1.
- [Release notes](https://github.com/crate-ci/typos/releases)
- [Changelog](https://github.com/crate-ci/typos/blob/master/CHANGELOG.md)
- [Commits](crate-ci/typos@b1a1ef3...b1ae8d9)

---
updated-dependencies:
- dependency-name: crate-ci/typos
  dependency-version: 1.33.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: add comment to hooks

* docs: update hooks in ERC4626 docs

* Chore(deps-dev): Bump @openzeppelin/docs-utils in /docs (#1450)

Bumps @openzeppelin/docs-utils from 0.1.5 to 0.1.6.

---
updated-dependencies:
- dependency-name: "@openzeppelin/docs-utils"
  dependency-version: 0.1.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: immrsd <103599616+immrsd@users.noreply.github.com>
Co-authored-by: Maximilian Hubert <64627729+gap-editor@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Niken <danylonepritvoreniy@gmail.com>

Author: 5 people

.github/workflows/test.yml

@@ -38,7 +38,7 @@ jobs:
         run: curl -L https://raw.githubusercontent.com/software-mansion/cairo-coverage/main/scripts/install.sh | sh
 
       - name: Markdown lint
-        uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v16
+        uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e # v16
         with:
           globs: |
             *.md

.github/workflows/typos.yaml

@@ -10,4 +10,4 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Check for typos
-        uses: crate-ci/typos@b1a1ef3893ff35ade0cfa71523852a49bfd05d19
+        uses: crate-ci/typos@b1ae8d918b6e85bd611117d3d9a3be4f903ee5e4

README.md

@@ -2,6 +2,7 @@
 
 [![Lint and test](https://github.com/OpenZeppelin/cairo-contracts/actions/workflows/test.yml/badge.svg)](https://github.com/OpenZeppelin/cairo-contracts/actions/workflows/test.yml)
 [![License](https://img.shields.io/github/license/OpenZeppelin/cairo-contracts)](https://github.com/OpenZeppelin/cairo-contracts/blob/main/LICENSE)
+[![Docs](https://img.shields.io/badge/docs-%F0%9F%93%84-yellow)](https://docs.openzeppelin.com/contracts-cairo/1.0.0/)
 
 **A library for secure smart contract development** written in Cairo for [Starknet](https://starkware.co/product/starknet/), a decentralized ZK Rollup.
 

Scarb.lock

@@ -133,7 +133,7 @@ dependencies = [
 
 [[package]]
 name = "openzeppelin_testing"
-version = "3.0.0"
+version = "4.1.0"
 dependencies = [
  "snforge_std",
 ]
@@ -171,15 +171,15 @@ dependencies = [
 
 [[package]]
 name = "snforge_scarb_plugin"
-version = "0.41.0"
+version = "0.44.0"
 source = "registry+https://scarbs.xyz/"
-checksum = "sha256:7228a3ea74d8decfb2294cee9251b537bbd58b3e243e9327f55e72a99ab5fb53"
+checksum = "sha256:ec8c7637b33392a53153c1e5b87a4617ddcb1981951b233ea043cad5136697e2"
 
 [[package]]
 name = "snforge_std"
-version = "0.41.0"
+version = "0.44.0"
 source = "registry+https://scarbs.xyz/"
-checksum = "sha256:edf116cbf62cbe2487f188cf28ceb9f42b08cfa14e197524281c3ce932f4a5e6"
+checksum = "sha256:d4affedfb90715b1ac417b915c0a63377ae6dd69432040e5d933130d65114702"
 dependencies = [
  "snforge_scarb_plugin",
 ]

Scarb.toml

@@ -44,7 +44,7 @@ keywords = [
 [workspace.dependencies]
 assert_macros = "2.11.4"
 starknet = "2.11.4"
-snforge_std = "0.41.0"
+snforge_std = "0.44.0"
 
 [dependencies]
 starknet.workspace = true

docs/modules/ROOT/pages/api/erc20.adoc

@@ -906,6 +906,14 @@ use openzeppelin_token::erc20::extensions::erc4626::ERC4626Component;
 Extension of ERC20 that implements the <<IERC4626,IERC4626>> interface which allows the minting and burning of "shares" in exchange for an underlying "asset."
 The component leverages traits to configure fees, limits, and decimals.
 
+CAUTION: Note on hooks. Special care must be taken when calling external contracts from them. In
+that case, consider implementing reentrancy protections. For example, in the
+`withdraw` flow, the `withdraw_limit` is checked *before* the `before_withdraw` hook
+is invoked. If this hook performs a reentrant call that invokes `withdraw` again, the
+subsequent check on `withdraw_limit` will be done before the first withdrawal’s core logic
+(e.g., burning shares and transferring assets) is executed. This could
+lead to bypassing withdrawal constraints or draining funds.
+
 [.contract-index]
 .{immutable-config}
 --

docs/modules/ROOT/pages/components.adoc

@@ -3,7 +3,7 @@
 The following documentation provides reasoning and examples on how to use Contracts for Cairo components.
 
 :shamans-post: https://community.starknet.io/t/cairo-components/101136#components-1[Starknet Shamans post]
-:cairo-book: https://book.cairo-lang.org/ch99-01-05-00-components.html[Cairo book]
+:cairo-book: https://book.cairo-lang.org/ch103-02-00-composability-and-components.html[Cairo book]
 
 Starknet components are separate modules that contain storage, events, and implementations that can be integrated into a contract.
 Components themselves cannot be declared or deployed.

docs/modules/ROOT/pages/erc4626.adoc

@@ -276,8 +276,11 @@ pub mod ERC4626Fees {
 
     const _BASIS_POINT_SCALE: u256 = 10_000;
 
+    ///
     /// Hooks
-    impl ERC4626HooksEmptyImpl of ERC4626Component::ERC4626HooksTrait<ContractState> {
+    ///
+
+    impl ERC4626HooksImpl of ERC4626Component::ERC4626HooksTrait<ContractState> {
         fn after_deposit(
             ref self: ERC4626Component::ComponentState<ContractState>, assets: u256, shares: u256,
         ) {

docs/package-lock.json

@@ -10,6 +10,6 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
-    "@openzeppelin/docs-utils": "^0.1.2"
+    "@openzeppelin/docs-utils": "^0.1.6"
   }
 }