Financial Toolset
Back to Blog

What is a reentrancy attack?

โ€ขFinancial Toolset Teamโ€ข4 min read

A reentrancy attack occurs when a malicious contract calls back into the vulnerable contract before the first function execution completes. The famous DAO hack in 2016 stole $60M+ using this techni...

What is a reentrancy attack?

Listen to this article

Browser text-to-speech

Understanding Reentrancy Attacks in Smart Contracts

Imagine a bank vault that lets a robber withdraw cash but forgets to update the account balance until after the robber has left. What's to stop them from walking right back in and taking more?

That's the basic idea behind a reentrancy attack. It's a simple but devastating flaw that, in 2016, allowed hackers to drain over $60 million in Ether from a project called The DAO, shaking the young crypto world to its core. If you've ever put money into a DeFi project, this is the kind of hidden danger that could put your funds at risk.

What is a Reentrancy Attack?

A reentrancy attack happens when a malicious contract repeatedly calls a function on a target contract before the first call is finished. Itโ€™s like a digital "cut in line," exploiting the order of operations to trick the contract.

  • Mechanism: An attacker's contract calls a function, like withdraw(). Before the victim's contract can update its internal ledger (e.g., subtract the balance), the attacker's code makes the same call again. This loop allows them to drain funds far beyond their actual balance.
  • Impact: The consequences are often catastrophic, leading to millions of dollars in losses. These attacks serve as a harsh reminder that secure coding isn't just a best practice; it's essential for survival in DeFi.

Key Facts and Prevention Strategies

This isn't just a theoretical problem. Some of the biggest names in crypto have been hit hard by this exact vulnerability.

Famous Incidents

  • The DAO Hack (2016): The big one. Attackers siphoned over $60 million in Ether by repeatedly calling a withdrawal function before the contract could update user balances.
  • Synthetix (2019): A reentrancy bug here didn't steal existing funds but allowed attackers to mint a massive amount of synthetic assets out of thin air.
  • Harvest Finance (2020): This attack on a yield farming protocol exploited a reentrancy vulnerability, resulting in a loss of over $24 million.

Prevention Techniques

Thankfully, developers have learned from these costly mistakes. Here are the standard ways to defend against reentrancy.

  1. Checks-Effects-Interactions Pattern: This is the golden rule. Always perform your checks (e.g., require statements), apply the effects (update balances), and then interact with external contracts. Do your internal bookkeeping first, then send the money.

  2. ReentrancyGuard: Why build a lock from scratch when you can use a battle-tested one? Libraries like OpenZeppelinโ€™s ReentrancyGuard provide a simple modifier you can add to functions, effectively putting up a "Do Not Disturb" sign that prevents a function from being re-entered while it's running.

  3. Automated Tools: Use security analysis tools like MythX and Slither to automatically scan your code for common vulnerabilities, including reentrancy. Think of it as a spell-checker for security flaws.

Practical Example

Hereโ€™s a simplified look at a vulnerable withdrawal function written in Solidity:

function withdraw(uint _amount) external {
    require(balances[msg.sender] >= _amount, "Insufficient balance");
    (bool success, ) = msg.sender.call{value: _amount}("");
    require(success, "Transfer failed");
    balances[msg.sender] -= _amount;
}

See the problem? The code sends the Ether (msg.sender.call) before it subtracts from the balance (balances[msg.sender] -=). By simply swapping those last two lines, the vulnerability disappears.

Common Mistakes and Considerations

  • Cross-Function Reentrancy: The danger isn't always in a single function. A clever attacker might enter through one function and exit through another, creating a more complex reentrancy path. Secure all external calls.
  • Untrusted Contracts: Calling another contract is like inviting a stranger into your house. Even with guards in place, be extremely careful when your code interacts with contracts you didn't write.
  • Atomic State Updates: Make sure that when you change a value, the entire operation completes in one indivisible step. This reduces the window of opportunity for an attacker to strike mid-update.

Bottom Line

Reentrancy attacks are a serious and persistent threat in the DeFi space. For developers, following the "Checks-Effects-Interactions" pattern and using tools like ReentrancyGuard is non-negotiable.

For investors, understanding these risks is just as important. Knowing that a project's developers prioritize security is a key part of learning how to evaluate DeFi projects. After all, the most innovative protocol in the world is worthless if its vault door is left wide open.

Try the Calculator

Ready to take control of your finances?

Calculate your personalized results.

Launch Calculator

Frequently Asked Questions

Common questions about the What is a reentrancy attack?

A reentrancy attack occurs when a malicious contract calls back into the vulnerable contract before the first function execution completes. The famous DAO hack in 2016 stole $60M+ using this techni...
What is a reentrancy attack? | FinToolset