Ethereum’s only hard fork happened because of a reentrancy attack.

When the first DAO was launched in 2016, it held 14% of the entire Ethereum value.

Today, 4 out of 20+ hacks in 2023 have been reentrancy attacks.

What are they and how to prevent them? 👇

2/ How do these work?

A user and a malicious contract both deposit funds into a contract.

The malicious contract calls on the victim’s withdraw function and triggers a fallback function.

This fallback function then allows the attacker to continuously drain the victim’s assets.

3/ An example:

1. "Bank" contract holds 10 ETH & updates state every 24h
2. Hacker opens an account, deposits 1 ETH
3. Hacker withdraws 1 ETH hourly
4. Because accounting is only updated after 24h, hacker is able to do this 24 times
5. Hacker drains bank treasury

4/ 3 ways to prevent them:

a) Reentrancy Guards

Using a reentrancy guard ensures the attacker can’t make more than one function run at a time.

OpenZeppelin’s ReentrancyGuard.sol has become an industry standard: github.com/OpenZeppelin/o…

5/ b) Checks, Effects, Interaction Pattern (CEI)

The effects/changes in the state variables of the contract should be carried out before any interactions with another contract.

For ex, checking the balance of the customer before allowing a withdrawal.

6/ c) Security review

Although audits are not the cure to all exploits, getting one decreases exponentially the likelihood of an attack happening.

Consider reaching out to @CyfrinAudits for a competitive or private audit of your codebase to find vectors like this and others.