← Back to Blog
Security

Understanding Reentrancy Attacks

By Michael RodriguezOctober 5, 202512 min read

Deep dive into reentrancy attacks, how they work, and effective mitigation strategies.

Understanding Reentrancy Attacks

Reentrancy attacks are among the most devastating vulnerabilities in smart contract security. Let's explore how they work and how to prevent them.

What is Reentrancy?

Reentrancy occurs when a contract function makes an external call to another contract, and that contract calls back into the original function before the first call completes. This can lead to state inconsistencies and fund drainage.

How Reentrancy Works

The Attack Vector

1. Attacker calls a vulnerable function 2. Function makes an external call (e.g., transfer funds) 3. Attacker's contract receives the call 4. Attacker's contract calls back into the original function 5. State hasn't been updated yet, so the attack succeeds

Example Vulnerable Code

function withdraw() public {
    uint amount = balances[msg.sender];
    require(amount > 0);
    
    (bool success, ) = msg.sender.call{value: amount}("");
    require(success);
    
    balances[msg.sender] = 0; // Too late!
}

Mitigation Strategies

1. Checks-Effects-Interactions Pattern

Always follow this order: 1. **Checks**: Validate conditions 2. **Effects**: Update state 3. **Interactions**: Make external calls

2. ReentrancyGuard Modifier

Use OpenZeppelin's ReentrancyGuard:

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

contract MyContract is ReentrancyGuard {
    function withdraw() public nonReentrant {
        // Safe withdrawal logic
    }
}

3. Pull Payment Pattern

Instead of pushing payments, let users pull their funds:

mapping(address => uint) public pendingWithdrawals;

function requestWithdrawal(uint amount) public {
    // Update state first
    pendingWithdrawals[msg.sender] += amount;
    balances[msg.sender] -= amount;
}

function withdraw() public {
    uint amount = pendingWithdrawals[msg.sender];
    pendingWithdrawals[msg.sender] = 0;
    payable(msg.sender).transfer(amount);
}

Real-World Examples

The DAO hack in 2016 is a famous example of a reentrancy attack that led to the Ethereum hard fork. More recently, the Fei Protocol incident demonstrated how complex protocols can be vulnerable.

Conclusion

Reentrancy attacks remain a critical threat. Always update state before external calls, use proven security patterns, and consider multiple layers of protection.

Share this article

TwitterLinkedIn

Related Articles

Security

Common Smart Contract Vulnerabilities in 2025

An overview of the most critical vulnerabilities found in smart contracts this year and how to prevent them.

Read More →Security

Formal Verification in Smart Contract Security

An introduction to formal verification and how it can enhance your security audit process.

Read More →