// GLOSSARY -- SECURITY & COMPLIANCE

What is Reentrancy Attack?

1 min read Updated

A reentrancy attack exploits a smart contract vulnerability where an external call allows the attacker to re-enter the contract before the first execution completes — potentially draining funds by repeating withdrawal logic.

WHY IT MATTERS

Reentrancy is the most famous smart contract vulnerability. The pattern: a contract sends ETH to an address before updating its state. The receiving contract's fallback function re-calls the original contract, which still shows the old (higher) balance. The withdrawal repeats until the contract is drained.

The DAO hack (2016, $60M) was a reentrancy attack that led to Ethereum's most controversial hard fork. Despite being well-known, reentrancy variants continue to cause exploits — cross-function reentrancy, cross-contract reentrancy, and read-only reentrancy.

Prevention: follow the checks-effects-interactions pattern (update state before external calls), use reentrancy guards (mutexes), and consider using pull-over-push payment patterns.

FREQUENTLY ASKED QUESTIONS

How does the checks-effects-interactions pattern prevent reentrancy?
By updating state (effects) before making external calls (interactions). When the attacker re-enters, the state already reflects the withdrawal, so the check fails.
Is reentrancy still a real threat?
Yes. While simple reentrancy is caught by auditors, novel variants (cross-function, cross-contract, read-only) continue to cause exploits. The Curve Finance exploit in 2023 involved a reentrancy in Vyper.
What is a reentrancy guard?
A mutex (mutual exclusion lock) that prevents a function from being called again while it's still executing. OpenZeppelin's ReentrancyGuard is the standard implementation.

FURTHER READING

Let agents act without letting them run wild.

Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.

Currently onboarding teams running MCP in production.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.

// REQUEST EARLY ACCESS

We're letting people in as fast as we can.

You're in the queue.

We'll be in touch as soon as we can let you in.