myctrl.tools

SC08Reentrancy Attacks

>Control Description

Reentrancy describes any situation where a smart contract performs an external call (to another contract or address), and the callee can call back into the original contract before the first invocation has completed and state has been fully updated. The vulnerability affects DeFi protocols (token transfers, DEX swaps, vault operations, flash loan callbacks), NFT systems (ERC-721/1155 receiver hooks, marketplace payouts), DAOs (proposal execution), bridges (message relay, asset transfers), and composable protocols (ERC-777 hooks, ERC-4626 deposit/withdraw hooks). **Attack Variants:** - Single-function reentrancy (recursive calls to same function) - Cross-function reentrancy (callbacks into different functions) - Cross-contract reentrancy (callbacks traversing multiple contracts) - Read-only reentrancy (view functions or oracles reading stale state during callbacks) **Key Risk Areas:** - State changes occurring after external calls - Callback and hook interfaces creating unexpected reentry points - Read-your-writes assumptions between functions - Complex call graphs with mid-transaction state inconsistency

>Prevention & Mitigation Strategies

  1. 1.Use OpenZeppelin's ReentrancyGuard (nonReentrant modifier) on all stateful functions that modify balances/accounting or perform external calls.
  2. 2.Apply the checks-effects-interactions pattern: verify preconditions, execute all state modifications, then invoke external contracts.
  3. 3.Validate transfer return values and revert on failure.
  4. 4.Treat ERC-777 hooks, ERC-4626 hooks, and other callbacks as potential reentrancy vectors.
  5. 5.Review cross-function interactions carefully (e.g., functions calling each other internally).
  6. 6.Examine multi-contract systems for reentrancy across module boundaries.
  7. 7.Implement reentrancy-focused fuzzing and unit testing.

>Attack Scenarios

#1GMX V1 (July 2025, $42M loss)

GMX V1 contracts were exploited via a classic yet sophisticated reentrancy vector in executeDecreaseOrder. The function accepted attacker-controlled contract addresses as parameters; during refund processing, re-entry enabled manipulation of global average short prices, AUM, and GLP valuations. The vulnerability existed due to state updates after external calls and absent reentrancy guards, introduced via an unaudited 2022 patch.

>References

Ask AI

Configure your API key to use AI features.