Web3 Dictionary Logo
Web3 Dictionary
Contribute

Categories

AllBlockchainDappsDAOsDeFiNFTsRegulationSecuritySmart ContractsTokenomicsWalletsWeb3 GamingOthers
  1. Web3 Dictionary
  3. Security
  6. Reentrancy
Security

Reentrancy

Smart contract vulnerability where recursive calls allow draining funds before state updates.

Last Updated

2026-03-29

Related Concepts

Smart ContractExploitDelegatecall
Web3-Explorer Logo

Web3 Security

AD

Security frameworks, smart contract reviews, and compliance alignment to reduce risk and protect users.

Review Security Services

What is Reentrancy?

Reentrancy is a smart contract vulnerability where a malicious contract repeatedly calls back into a target function before its first execution completes. This lets an attacker drain funds by exploiting the gap between when funds are sent and when balances are updated.

How does Reentrancy work?

  1. A vulnerable function sends funds to an external address before updating the sender's internal balance.
  2. The attacker's contract receives the funds and immediately calls the withdrawal function again.
  3. Because the balance hasn't been reduced yet, the request passes validation.
  4. The loop repeats until the contract is drained or runs out of gas.

Why does Reentrancy matter?

It caused the 2016 DAO hack, resulting in 3.6 million ETH stolen and a controversial hard fork of Ethereum. It remains a top audit priority today.

Key features of Reentrancy

  • Exploits the gap between fund transfer and state update
  • Can drain an entire protocol in a single transaction
  • Prevented by the Checks-Effects-Interactions pattern
  • Mitigated with OpenZeppelin's nonReentrant modifier

Examples of Reentrancy

The DAO hack is the most famous case. Today, adding nonReentrant to a withdrawal function takes 1 line of code and blocks the attack entirely.

External References

  • Smart Contract Security
  • ReentrancyGuard