A reentrancy attack happens when a function is repeatedly called before its previous execution completes or the state is updated, potentially allowing an attacker to manipulate the system’s state.
In Solidity smart contracts, this attack occurs when the execution flow transfers to an external contract, typically via an external call, allowing the function to be called recursively. This allows the external contract to re-enter the contract, enabling it to manipulate the state before execution is completed.
Reentrancy is a state synchronization problem occurring when the state is not updated before making an external call. This means that when the function is reentered, the state is the same as the first call.
The proper way to mitigate this and ensure functions perform as intended is to follow the checks, effects, interactions Solidity pattern:
- Checks: Verify the caller's state (e.g., ensure the caller has a balance to withdraw).
- Effects: Update global state (e.g., decrease the caller's balance in a mapping).
- Interactions: If checks pass, perform an external call (e.g., transfer tokens).
For a comprehensive deep dive with examples of the various types of reentrancy attacks and preventions, check out the full guide.
