Re-entrancy Attack

A re-entrancy attack is a type of exploit targeting smart contracts where malicious code tricks a contract into calling out to an attacker’s contract before finishing its own internal bookkeeping — and that external call then calls back into the original contract again, repeating the cycle. The key vulnerability is that the attacked contract sends funds or takes action before it has updated its own records to reflect that those funds have left. By repeatedly “re-entering” the contract before the records update, an attacker can drain funds far beyond what they were legitimately entitled to.

To understand why this happens, consider how a smart contract handles a withdrawal. The naive order of operations might be: check balance, send funds, then update balance. The problem is the second step — sending funds — gives control to the recipient’s code before the third step happens. If the recipient’s code immediately calls the withdrawal function again, the contract still sees the old (incorrect) balance and sends more funds. This loop continues until the contract is drained or runs out of gas.

Re-entrancy attacks are not theoretical — the most famous incident in crypto history was the 2016 hack of “The DAO,” an early decentralized investment fund on Ethereum, where an attacker exploited exactly this vulnerability to drain approximately $60 million worth of Ether. The incident was so severe that it led to a controversial decision to “fork” the Ethereum blockchain and reverse the transactions, splitting the community and creating Ethereum Classic in the process.

Example: Imagine an ATM that gives you cash before it records the withdrawal in the bank’s database. If you could stand at the ATM and press “withdraw $100” repeatedly before that first transaction ever finishes logging, you could drain the machine. A re-entrancy attack exploits the exact same logical flaw — acting before the record-keeping catches up.