Reentrancy

Reentrancy is a recursive call issue where a malicious contract calls back the caller contract, before the first call is completed. If a state change is needed before making another external call, i.e. setting a value to zero, the state change may never happen due to recursive calls.

The recursive call continues until either the gas is exhausted or the call stack is full or the balance of the caller contract becomes zero.

SWC 107 Reentrancy

Remediation

Make sure all internal state changes are performed before the call is executed. This is known as the Checks-Effects-Interactions pattern
Use a reentrancy lock

For more detail guide, refer to DAO and recursive calls mini course on SecDim Learn.

Metadata

Severity: high
Slug: reentrancy

CWEs

841: Improper Enforcement of Behavioral Workflow
284: Improper Access Control

OWASP

A01:2021: Broken Access Control
SC05:2025: Reentrancy

Available Labs

Open Solidity labs in SecDim Play for this vulnerability.

easy

Auction.sol

Solidity Easy Signature

hard

HackMe Reentrancy.sol

Solidity Hard Exploitation Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.