Reentrancy Attack

Reentrancy is one of the oldest and most studied smart contract vulnerabilities. It occurs when a contract makes an external call to another contract before updating its own state; the external contract can call back into the original function before the state update, re-entering the withdrawal or transfer logic and draining funds repeatedly in a single transaction.

The 2016 DAO hack, which drained approximately USD 60 million in ETH, was a reentrancy attack. Despite the years of awareness, reentrancy vulnerabilities continue to appear in newly deployed contracts. Smart contract audits specifically test for this vulnerability.

For consumers, reentrancy attacks represent protocol-level risk: if a DeFi protocol is exploited via reentrancy, all deposited user funds are potentially at risk. Using protocols with multiple independent audits, active bug-bounty programs, and a track record of responding to security researchers reduces (though cannot eliminate) this risk.