Re-entrancy Attack (J31)

Imagine you’re sending money to someone, and while you’re doing that, they sneak back in and say, “Actually, send me that money again.

And again. And again…” until your wallet's dry and you're wondering why you ever trusted them.

That’s reentrancy.

It’s when a hacker abuses a smart contract’s flow and repeatedly calls back into a withdrawal function before the balance updates.

And yeah—it’s as bad as it sounds.

“Aren’t We Past That?”

Not really.

Some folks think these attacks are ancient history.

But here’s the tea: 4 out of 24 major Web3 hacks in the first half of 2023 were reentrancy-based.

Clearly, this vampire of a bug still bites.

Flashback: The DAO Hack (aka Web3’s First Public L)

Back in 2016, the DAO got wrecked—like, $60 million gone wrecked—because of a reentrancy vulnerability.

And because it was the first major DAO ever, it was a really bad look for blockchain.

Trust got shattered.

Headlines screamed “Crypto is the Wild West.”

And honestly?

That reputation still lingers.

Some Other High-Key Messes:

Uniswap + Lendf.Me (2020): $25M each gone.

Cream Finance (2021): $18.8M—poof.

BurgerSwap (2021): $7.2M, served cold.

Siren Protocol: $3.5M, all thanks to AMM pool manipulation.

SURGEBNB: $4M vanished via price manipulation.

And yeah… it keeps happening.

okay but how does it actually work?

Let’s break it down:

1. Step 1: Hacker contract (let’s call it A) deposits a lil’ ETH into victim contract B.

2. Step 2: A asks B for a withdrawal.

3. Step 3: B starts the withdrawal but before it can update A’s balance…

4. Step 4: A jumps back in (re-enters) and says, “Hey, give me more ETH.”

5. Step 5: Rinse and repeat until B is broke.

This works because B doesn’t update balances before sending funds, which is like letting someone take money out of an ATM before checking their actual account balance. Classic mistake.

Analogy Time

Picture this: a small-town bank doesn’t update withdrawal balances until the end of the day.

Along comes Abraham, who figures this out. He withdraws $5000, then again, and again—before the bank notices anything’s off.

By nightfall, the vault’s empty.

That’s a reentrancy attack IRL.

Dumb mistake.

Huge loss.

Flavors of Reentrancy (Yup, It’s Not Just One Kind)

1. Single-function Reentrancy:

Same function gets re-entered. Classic and easy to exploit.

2. Cross-function Reentrancy:

One function messes with another's shared state. Harder to detect. Sneakier.

3. Cross-contract Reentrancy:

Multiple contracts share variables. Hacker jumps from one to another mid-call. Ultimate tag-team scam.

More Real-World Hits

1. WETH (Pre-DAO days): Was actually an intentional hack to save the project.
2. Fei Protocol: Flash loan + reentrancy = exploit unlocked.

Revest Finance: Cross-function reentrancy stole $2M like it was nothing.

So… Should You Care?

YES.

Smart contracts are running billion-dollar protocols now.

a bug like reentrancy still sneaks in, it could wipe out entire ecosystems.

If you're coding smart contracts or even just using dApps, this matters.

Security ain’t just for devs—it’s for everyone.

Bottom Line:

Reentrancy attacks may be old, but they’re not dead.

Know them.

Spot them.

Fix them.

Or watch your protocol end up in a “Top 10 Worst Crypto Hacks” YouTube video.