What is a reentrancy attack in Solidity?
A reentrancy attack in Solidity repeatedly withdraws funds from a smart contract and transfers them to an unauthorized contract until the funds have been exhausted. The attack occurs during the execution cycle on the blockchain when bad actors find an exploitable smart contract. Reentrancy attacks have liquidated millions of dollars from DAOs and blockchain protocols.
The following article explains the mechanics of a reentrancy attack, two types of reentrancy attacks, and the preventive measures Solidity developers can take to secure a smart contract from vulnerabilities on the Ethereum and Solana blockchains.
What is a reentrancy attack?
Reentrancy attacks occur when a smart contract function temporarily gives up control flow of the transaction by making an external call to a contract that is sometimes written by unknown or possibly hostile actors. This permits the latter contract to make a recursive call back to the primary smart contract function to drain its funds.
The execution cycle of a smart contract on the Ethereum blockchains checks the balance, sends the funds, and then updates the balance. While the smart contract is in escrow, bad actors can make another call to withdraw funds. The cycle repeats until all funds are effectively drained.
How does a reentrancy attack work?
A reentrancy attack creates a recursive process that transfers funds between two smart contracts, the vulnerable contract and the malicious contract. Here are the steps of a reentrancy attack:
- The bad actor makes a call on the vulnerable contract, "X," to transfer funds to the malicious contract, "Y."
- Contract X determines whether the attacker has the necessary funds, then proceeds to transfer the funds to contract Y.
- Once contract Y receives the funds, it executes a callback function which calls back into contract X before the balance is updated.
- This recursive process continues until all funds have been exhausted and transferred.
The diagram below illustrates the attack scenario:
What are the different types of reentrancy attacks?
There are two types of reentrancy attacks: a single function and cross-function reentrancy attack.
1. Single Reentrancy Attacks
A single reentrancy attack occurs when the vulnerable function is the same function the attacker is trying to recursively call. Single reentrancy attacks are simpler and easier to prevent than cross-function reentrancy attacks.
2. Cross-function Attacks
A cross-function reentrancy attack is feasible only when a vulnerable function shares state with another function that has a desirable effect for the attacker. Cross-function attacks are harder to detect and more difficult to prevent.
Solidity Reentrancy Attack Examples
The following prominent reentrancy attacks further illustrate how bad actors have exploited vulnerabilities in blockchain protocols: The DAO hack, Lendf.me, and Cream Finance.
1. DAO Hack (2016)
The Ethereum DAO was hacked for approximately $60 million in Ether. Ethereum’s DAO was designed as an investment fund where network members could vote on investment decisions directly.
The DAO raised roughly $150 million, but experts and community participants expressed concerns surrounding the smart contract's security that was storing funds. The funds were locked in a smart contract vulnerable to a reentrancy attack due to a recursive call bug in the source code. Before the developer team fixed the problem, a hacker executed an attack and drained the contract.
2. Lendf.me Protocol (2020)
In April 2020, a bad actor stole $25 million using a reentrancy attack from the Lendf.me protocol, a decentralized finance protocol for lending operations on the Ethereum network.
The protocol developers overlooked the fact that ERC-777 tokens contain a callback function that notifies users when money has been sent or received. Hackers exploited the vulnerability by instituting a malicious smart contract as the recipient and draining the Lendf.me protocol of 99.5% of its funds.
3. Cream Finance Hack (2021)
In October 2021, a bad actor stole over $130 million worth of ERC-20 and CREAM liquidity protocol (LP) tokens by using a reentrancy attack on the protocol’s ‘flash loan’ feature. The root cause of the exploit was the erroneous integration of AMP into the CREAM finance protocol.
How to Prevent a Reentrancy Attack
Developing a rigorous blockchain security framework is critical to prevent and mitigate potential damage from a reentrancy attack. The following anti-reentrancy best practices will help developers and the broader web3 community secure their funds: checks, effects and interactions (CEI), reentrancy guards, pull payments, and gas limits.
1. Checks, Effects, and Interactions (CEI)
The CEI process is a rudimentary method to prevent reentrancy. Checks refer to the truthfulness of the condition, effects refer to state modifications that result from interaction, and interactions refer to transactions between functions or contracts.
Potential security risks and loopholes associated with placing executive effects before interactions are an important consideration for developers.
Reentrancy Guard or Mutex
A reentrancy guard or mutex can be created as a function or function modifier. A boolean lock is placed around the function call that is vulnerable to reentrancy. This implies that the initial state of ‘locked’ is false, however, it is set to true immediately before the vulnerable function execution begins and is then quickly set back to false after termination.
A more secure end-to-end transaction is by using the pull payment methodology. The pull payment process mandates using an intermediary escrow to send funds and avoids direct contact with a potentially hostile contact.
By sending funds via an intermediary escrow, the smart contract's funds are protected from a reentrancy attack. The escrow could be subject to reentrancy if it manages funds for multiple accounts. The CEI pattern and reentrancy guard should be implemented where appropriate.
Gas limits are not an optimal method to avert an attacker since gas costs depend on Ethereum’s opcodes, which are subject to change. On the other hand, smart contract code is immutable.
Understanding the difference between the send, transfer, and call functions is important. Send and transfer are effectively the same, but the transfer will revert if the transaction fails and send will not.
Unlike send and transfer, the call function does not have a gas limit and will forward its gas to execute multi-contract transactions. Unfortunately, this also means that reentrancy attacks are possible.
Learn More About Reentrancy Attacks with Alchemy University
The execution cycle of a smart contract on Ethereum is not a foolproof process. Bad actors exploit the blockchain by implementing reentrancy attacks to transfer and drain funds from vulnerable smart contracts. Taking preventive measures will ensure Soldiity developers safer execution cycles and the protection of their blockchain protocols.
To learn about Solidity smart contract development best practices, join Alchemy's free, 7-week Ethereum Developer Bootcamp. Originally a $3,000 certification course taught by ChainShot, Alchemy University's bootcamp is the premier place to learn Solidity for free.