Definition
Reentrancy is a class of smart contract vulnerability in which a contract makes an external call that allows the callee to invoke the original contract again before its first execution path has completed. Because the contract’s internal state may not yet be fully updated or locked, this re-entry can be abused to perform operations multiple times under outdated assumptions. In blockchain systems, this often manifests as repeated withdrawals or state modifications that bypass intended balance or access checks. Reentrancy is treated as a critical attack vector in on-chain security analysis and is a common focus of security audits and bug bounty programs.
At a technical level, reentrancy arises from the interaction between contract control flow, persistent storage, and external calls. When a contract exposes functions that transfer value or invoke untrusted smart contracts before finalizing its own state changes, it creates an opening for recursive calls back into sensitive functions. This can allow an attacker-controlled contract to interleave its own logic with the victim’s logic, extracting assets or corrupting state while the victim contract is in an inconsistent intermediate state. The severity of reentrancy issues depends on which functions are re-enterable, what invariants they assume, and how those invariants are enforced.
Context and Usage
In the context of decentralized applications, reentrancy is referenced as a canonical example of how subtle control-flow bugs can lead to large-scale exploits. Historical incidents where contracts were drained of funds due to reentrancy have shaped best practices for secure smart contract design. As a result, reentrancy checks, patterns, and automated detection rules are now standard components of a thorough security audit for on-chain protocols.
The term is also used more broadly to describe any situation where a contract or component is unexpectedly invoked again while a previous invocation is still active, even outside of direct financial loss scenarios. Security professionals classify reentrancy as an attack vector that must be considered whenever contracts expose external calls in the middle of critical logic. Bug bounty programs frequently highlight reentrancy as a high-impact category, incentivizing researchers to identify and responsibly disclose such vulnerabilities before they can be turned into real-world exploits.