Reentrancy

Reentrancy is a recursive call issue where a malicious contract calls back the caller contract, before the first call is completed. If a state change is needed before making another external call, i.e. setting a value to zero, the state change may never happen due to recursive calls.

The recursive call continues until either the gas is exhausted or the call stack is full or the balance of the caller contract becomes zero.

https://swcregistry.io/docs/SWC-107[SWC 107 Reentrancy]

Remediation

Make sure all internal state changes are performed before the call is executed. This is known as the Checks-Effects-Interactions pattern
Use a reentrancy lock

For more detail guide, refer to https://learn.secdim.com/course/dao-and-recursive-calls[DAO and recursive calls] mini course on SecDim Learn.

Metadata

Severity: high
Slug: reentrancy

CWEs

841: Improper Enforcement of Behavioral Workflow
284: Improper Access Control

OWASP

A01:2021: Broken Access Control
SC05:2025: Reentrancy

Available Labs

Select a language to explore available labs for this vulnerability.

2 Labs

Solidity Labs

Solidity 2 labs

Explore 2 labs in Solidity.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.