docs(bundlers): add reetrancy disclosure

src/ERC4626Bundler.sol

@@ -19,8 +19,9 @@ abstract contract ERC4626Bundler is BaseBundler {
     /* ACTIONS */
 
     /// @notice Mints the given amount of `shares` on the given ERC4626 `vault`, on behalf of `owner`.
-    /// @dev Pass `type(uint256).max` as `shares` to mint max.
+    /// @dev Warning: `vault` can re-enter the bundler flow.
     /// @dev Assumes the given `vault` implements EIP-4626.
+    /// @dev Pass `type(uint256).max` as `shares` to mint max.
     function erc4626Mint(address vault, uint256 shares, address owner) external payable {
         require(owner != address(0), ErrorsLib.ZERO_ADDRESS);
         /// Do not check `owner != address(this)` to allow the bundler to receive the vault's shares.
@@ -39,8 +40,9 @@ abstract contract ERC4626Bundler is BaseBundler {
     }
 
     /// @notice Deposits the given amount of `assets` on the given ERC4626 `vault`, on behalf of `owner`.
-    /// @dev Pass `type(uint256).max` as `assets` to deposit max.
+    /// @dev Warning: `vault` can re-enter the bundler flow.
     /// @dev Assumes the given `vault` implements EIP-4626.
+    /// @dev Pass `type(uint256).max` as `assets` to deposit max.
     function erc4626Deposit(address vault, uint256 assets, address owner) external payable {
         require(owner != address(0), ErrorsLib.ZERO_ADDRESS);
         /// Do not check `owner != address(this)` to allow the bundler to receive the vault's shares.
@@ -61,8 +63,9 @@ abstract contract ERC4626Bundler is BaseBundler {
     /// @notice Withdraws the given amount of `assets` from the given ERC4626 `vault`, transferring assets to
     /// `receiver`.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
-    /// @dev Pass `type(uint256).max` as `assets` to withdraw max.
+    /// @dev Warning: `vault` can re-enter the bundler flow.
     /// @dev Assumes the given `vault` implements EIP-4626.
+    /// @dev Pass `type(uint256).max` as `assets` to withdraw max.
     function erc4626Withdraw(address vault, uint256 assets, address receiver) external payable {
         require(receiver != address(0), ErrorsLib.ZERO_ADDRESS);
         /// Do not check `receiver != address(this)` to allow the bundler to receive the underlying asset.
@@ -78,8 +81,9 @@ abstract contract ERC4626Bundler is BaseBundler {
 
     /// @notice Redeems the given amount of `shares` from the given ERC4626 `vault`, transferring assets to `receiver`.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
-    /// @dev Pass `type(uint256).max` as `shares` to redeem max.
+    /// @dev Warning: `vault` can re-enter the bundler flow.
     /// @dev Assumes the given `vault` implements EIP-4626.
+    /// @dev Pass `type(uint256).max` as `shares` to redeem max.
     function erc4626Redeem(address vault, uint256 shares, address receiver) external payable {
         require(receiver != address(0), ErrorsLib.ZERO_ADDRESS);
         /// Do not check `receiver != address(this)` to allow the bundler to receive the underlying asset.

src/Permit2Bundler.sol

@@ -19,6 +19,7 @@ abstract contract Permit2Bundler is BaseBundler {
 
     /// @notice Permits and performs a transfer from the initiator to the recipient via Permit2.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `permit.permitted.token` can re-enter the bundler flow.
     /// @dev Pass `permit.permitted.amount = type(uint256).max` to transfer all.
     function permit2TransferFrom(ISignatureTransfer.PermitTransferFrom memory permit, bytes memory signature)
         external

src/PermitBundler.sol

@@ -13,6 +13,7 @@ abstract contract PermitBundler is BaseBundler {
     /// @notice Permits the given `amount` of `asset` from sender to be spent by the bundler via EIP-2612 Permit with
     /// the given `deadline` & EIP-712 signature's `v`, `r` & `s`.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `asset` can re-enter the bundler flow.
     /// @dev Pass `skipRevert == true` to avoid reverting the whole bundle in case the signature expired.
     function permit(address asset, uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s, bool skipRevert)
         external

src/TransferBundler.sol

@@ -19,6 +19,7 @@ abstract contract TransferBundler is BaseBundler {
 
     /// @notice Transfers the minimum between the given `amount` and the bundler's balance of native asset from the
     /// bundler to `recipient`.
+    /// @dev Warning: `recipient` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to transfer all.
     function nativeTransfer(address recipient, uint256 amount) external payable {
         require(recipient != address(0), ErrorsLib.ZERO_ADDRESS);
@@ -33,6 +34,7 @@ abstract contract TransferBundler is BaseBundler {
 
     /// @notice Transfers the minimum between the given `amount` and the bundler's balance of `asset` from the bundler
     /// to `recipient`.
+    /// @dev Warning: `asset` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to transfer all.
     function erc20Transfer(address asset, address recipient, uint256 amount) external payable {
         require(recipient != address(0), ErrorsLib.ZERO_ADDRESS);
@@ -47,6 +49,7 @@ abstract contract TransferBundler is BaseBundler {
 
     /// @notice Transfers the given `amount` of `asset` from sender to this contract via ERC20 transferFrom.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `asset` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to transfer all.
     function erc20TransferFrom(address asset, uint256 amount) external payable {
         address initiator = initiator();

src/UrdBundler.sol

@@ -14,6 +14,7 @@ import {BaseBundler} from "./BaseBundler.sol";
 /// @notice Bundler that allows to claim token rewards on the Universal Rewards Distributor.
 abstract contract UrdBundler is BaseBundler {
     /// @notice Claims `amount` of `reward` on behalf of `account` on the given rewards distributor, using `proof`.
+    /// @dev Warning: `distributor` can re-enter the bundler flow.
     /// @dev Assumes the given distributor implements IUniversalRewardsDistributor.
     /// @dev Pass `skipRevert = true` to avoid reverting the whole bundle in case the proof expired.
     function urdClaim(

src/migration/AaveV2MigrationBundler.sol

@@ -28,6 +28,7 @@ contract AaveV2MigrationBundler is MigrationBundler {
 
     /// @notice Repays `amount` of `asset` on AaveV2, on behalf of the initiator.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `asset` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to repay all.
     function aaveV2Repay(address asset, uint256 amount, uint256 interestRateMode) external payable {
         amount = Math.min(amount, ERC20(asset).balanceOf(address(this)));

src/migration/AaveV3MigrationBundler.sol

@@ -27,6 +27,7 @@ contract AaveV3MigrationBundler is MigrationBundler {
 
     /// @notice Repays `amount` of `asset` on AaveV3, on behalf of the initiator.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `asset` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to repay all.
     function aaveV3Repay(address asset, uint256 amount, uint256 interestRateMode) external payable {
         amount = Math.min(amount, ERC20(asset).balanceOf(address(this)));

src/migration/AaveV3OptimizerMigrationBundler.sol

@@ -28,6 +28,7 @@ contract AaveV3OptimizerMigrationBundler is MigrationBundler {
 
     /// @notice Repays `amount` of `underlying` on the AaveV3 Optimizer, on behalf of the initiator.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `underlying` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to repay all.
     function aaveV3OptimizerRepay(address underlying, uint256 amount) external payable {
         amount = Math.min(amount, ERC20(underlying).balanceOf(address(this)));

src/migration/CompoundV2MigrationBundler.sol

@@ -37,6 +37,7 @@ contract CompoundV2MigrationBundler is WNativeBundler, MigrationBundler {
 
     /// @notice Repays `amount` of `cToken`'s underlying asset, on behalf of the initiator.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `cToken` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to repay all.
     function compoundV2Repay(address cToken, uint256 amount) external payable {
         if (cToken == C_ETH) {
@@ -62,6 +63,7 @@ contract CompoundV2MigrationBundler is WNativeBundler, MigrationBundler {
 
     /// @notice Redeems `amount` of `cToken` from CompoundV2.
     /// @dev Initiator must have previously transferred their cTokens to the bundler.
+    /// @dev Warning: `cToken` can re-enter the bundler flow.
     /// @dev Pass `amount = type(uint256).max` to redeem all.
     function compoundV2Redeem(address cToken, uint256 amount) external payable {
         amount = Math.min(amount, ERC20(cToken).balanceOf(address(this)));

src/migration/CompoundV3MigrationBundler.sol

@@ -21,6 +21,7 @@ contract CompoundV3MigrationBundler is MigrationBundler {
 
     /// @notice Repays `amount` of `asset` on the CompoundV3 `instance`, on behalf of the initiator.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `instance` can re-enter the bundler flow.
     /// @dev Assumes the given instance is a CompoundV3 instance.
     /// @dev Pass `amount = type(uint256).max` to repay all.
     function compoundV3Repay(address instance, address asset, uint256 amount) external payable {
@@ -36,6 +37,7 @@ contract CompoundV3MigrationBundler is MigrationBundler {
 
     /// @notice Withdraws `amount` of `asset` on the CompoundV3 `instance`.
     /// @dev Initiator must have previously transferred their CompoundV3 position to the bundler.
+    /// @dev Warning: `instance` can re-enter the bundler flow.
     /// @dev Assumes the given `instance` is a CompoundV3 instance.
     /// @dev Pass `amount = type(uint256).max` to withdraw all.
     function compoundV3Withdraw(address instance, address asset, uint256 amount) external payable {
@@ -45,6 +47,7 @@ contract CompoundV3MigrationBundler is MigrationBundler {
     /// @notice Withdraws `amount` of `asset` from the CompoundV3 `instance`, on behalf of the initiator.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
     /// @dev Initiator must have previously approved the bundler to manage their CompoundV3 position.
+    /// @dev Warning: `instance` can re-enter the bundler flow.
     /// @dev Assumes the given `instance` is a CompoundV3 instance.
     /// @dev Pass `amount = type(uint256).max` to withdraw all.
     function compoundV3WithdrawFrom(address instance, address asset, uint256 amount) external payable {
@@ -54,6 +57,7 @@ contract CompoundV3MigrationBundler is MigrationBundler {
     /// @notice Approves the bundler to act on behalf of the initiator on the CompoundV3 `instance`, given a signed
     /// EIP-712 approval message.
     /// @notice Warning: should only be called via the bundler's `multicall` function.
+    /// @dev Warning: `instance` can re-enter the bundler flow.
     /// @dev Assumes the given `instance` is a CompoundV3 instance.
     function compoundV3AllowBySig(
         address instance,