Reentrancy Attack Vulnerability
Reentrancy Attack Vulnerability
A Reentrancy Attack exploits a vulnerability in smart contracts where a function makes an external call to another contract before updating its own state. This allows the external contract, which could be malicious, to re-enter the original function and perform actions such as repeatedly withdrawing funds using the same state. Through this type of attack, an attacker may be able to drain all the funds from a contract.
What is the impact of a Reentrancy Attack?
-
Fund Drainage:
The most immediate and severe consequence is the draining of contract funds. Attackers exploit the vulnerability to withdraw more than they are entitled to, potentially depleting the contract’s entire balance. -
Unauthorized Function Calls:
The attacker can initiate unauthorized calls to the contract’s functions. This could lead to unintended actions within the contract or connected systems.
What actions should be taken?
-
State Changes Before External Calls:
Always ensure that any state changes (such as updating balances) are performed before making external calls to other contracts. In other words, update internal balances or codes before invoking external code. -
Use Function Modifiers to Prevent Reentrancy:
Use modifiers like Reentrancy Guard provided by OpenZeppelin to prevent reentrancy attacks.
Our Solution:
References:
OWASP Smart Contract Top 10 - Reentrancy Attacks
SWC Registry - SWC-107
