Definition
A reentrancy attack is a class of smart contract vulnerability in which an external contract repeatedly invokes a function before the original call has completed its state changes. It exploits the order of operations in a contract that sends value or makes external calls before securely updating internal balances or other critical state. By reentering the vulnerable function multiple times in a single transaction, an attacker can drain funds or manipulate logic that assumes state has already been updated.
This attack is most commonly associated with EVM-based environments, where contracts can call other contracts that in turn call back into the original contract. If the original contract’s logic is not written to be reentrancy-safe, the attacker’s contract can recursively trigger withdrawals or other privileged actions. The vulnerability arises from the interaction between control flow and state management, rather than from a flaw in the underlying blockchain consensus itself.
Context and Usage
Reentrancy attacks are a critical concern in security reviews of any Smart Contract that handles value, such as those managing token balances, liquidity pools, or Wallet-like custody logic. They highlight the risks of making external calls to untrusted contracts or addresses before internal accounting is finalized. In complex systems involving components like an Oracle or a Bridge, reentrancy risks can be amplified when multiple contracts depend on each other’s callbacks and assumptions about state.
Within the broader security landscape, the term “reentrancy attack” is used to describe both the specific exploit pattern and the general category of bugs where reentrant calls violate a contract’s invariants. It is a canonical example of how composability in EVM ecosystems introduces powerful capabilities alongside subtle attack surfaces. As a result, reentrancy has become a standard focus area in formal verification, audits, and defensive design patterns for smart contract development.