This guide provides a comprehensive analysis of Reentrancy’s vulnerabilities with practical and executable examples of each attack type. Learn how the other reinvestment patterns work, how to identify them in real protocols.
What is re -creation?
The re -creation occurs when the external contract call is called again with the call function before the external contract is completed. During the external currency, the control can be delivered to the recipient contract to run any code. If the status update occurs ~ Later External currencies, attackers can re -enter function and drain funds.
ReEntrology Hacks is still in progress today. For a comprehensive list of historical re-creation Exploit, see the REENTRANCY-ATTACKS repository of PCAVERSACCIO.
All contracts that make external calls are potentially vulnerable. In particular, contracts related to withdrawal mechanisms, defect protocols and crosschain bridge.
How to prevent reinvestment?
CEI (Checks-Effects-InterAc) Pattern: Perform a confirmation, update the status, and only external calls. This sequence prevents exploitation of an unconnected state.
ReEntrologyGuard prevents a single contract re -creation, but is not a cross -agreement attack. Use the full payment pattern and minimize the external currency for better security.
Wake’s Python -based framework includes re -creation detection through static analysis and test patterns, identifying vulnerabilities before deployment.
Identification of re -creation vulnerabilities
The main attack vector includes:
- External call before the status update
- Token standard with hooks (ERC-777, ERC-1155)
- Flash loan implementation
- Cross chain messaging system
All external currencies are potential vulnerabilities.
Type of re -creation attack
The re -creation varies from simple recursive calls to complex multiple contracts. Different defense strategies are required for each type. Developers should consider all attack possibilities during development. Let’s take a closer look at these important dynamics.
Single function re -creation
In the re -creation of a single function, the attacker recursively calls the same function during external calls. It is the most common in the withdrawal function that sends ETH before updating the balance.
Vulnerability Example:
function withdraw() public
uint256 amount = balances(msg.sender);
(bool success, ) = msg.sender.callvalue: amount("");
require(success, "Failed to send Ether");
balances(msg.sender) = 0; // State updated after external call
Attack stage:
- Attackers deposit funds and calls
withdraw() - The agreement of the attacker will enter again during the external call.
withdraw() - The withdrawal is successful because the balance has not been reset yet.
- The process is repeated until the contract is drained.
prevention: Update your status before an external call according to the CEI pattern.
Creation of cross -function
Creation of cross -function uses multiple functions within one contract. The developer protects individual functions, but if you miss the interaction, it becomes dangerous.
Vulnerability Example:
contract Vault is ReentrancyGuard
function transfer(address to, uint256 amount) public
// No reentrancy protection here
if (balances(msg.sender) >= amount)
balances(to) += amount;
balances(msg.sender) -= amount;
function withdraw() public nonReentrant
uint256 amount = balances(msg.sender);
(bool success, ) = msg.sender.callvalue: amount("");
require(success, "Failed to send Ether");
balances(msg.sender) = 0;
Attack Vector: The attacker enters again without being protected. transfer() During withdraw() External currency, manipulation balance before the withdrawal is completed.
prevention: Apply recreated guards to all state modifications or consistently use the CEI pattern.
Cross chain re -creation
As the name suggests, the cross chain re -creation manipulates cross chain messaging with duplicate tokens that cross the chain. This is important for implementing bridge.
Vulnerability Pattern: Cross chain contracts often increase the counter or update the condition after external calls. _safeMint(). If the attacker enters the external call, you can trigger the same cross chain event before the status update.
Actual impact: same tokenId Break the leg accounting of the multi -chain and create a phantom token.
prevention:
- Update the cross chain status variable before external currency
- Implement the verification after the call of important variables
- Use the re -creation guard for the cross chain function
Re -creation of mutual contracts
Mutual contract re -creation is bypassed by bypassing multiple contracts. ReentrancyGuard. This means that a comprehensive interaction analysis is required.
Attack pattern: Contract A RelancyGuard Protection Agreement B.
Example Scenario: The safe agreement with ReEntrancyGuard uses a separate token contract. The attacker represents the transmission function of the token contract during the withdrawal of Vault.
prevention: It implements consistent re -creation protection over all interaction contracts and follows the CEI pattern in the contract interaction.
Re -creation for reading
Read -only re -creation is a function during the transition to an exploit status. This is important for the Defi protocol that depends on price Oracle.
Vulnerability mechanism: The viewing view may seem safe but can return data that does not match during the state switching. The attacker exploits this window to get the wrong price calculation.
Example Scenario:
function getCurrentPrice() public view returns (uint256)
if (totalTokens == 0) return 10e18;
return (totalTokens * 10e18) / totalStake;
In external calls, TotalTokens can be updated without changing and creates a chance to manipulate price.
prevention: Avoid the function of relying depending on the mutation state during the external call. Implement a state consistency test.
Vulnerability for each protocol
Flash loan re -creation
In the re -creation of the flash loan, the attacker manipulates the token balance during the loan execution by exploiting inappropriate balance verification. The attacker uses a flash loan to create a “side entrance” attack that temporarily expands balance, detours checks, and extracts funds through various withdrawal mechanisms.
General pattern: Flash loans increase the user’s balance and cause withdrawal logic that does not explain temporary balance inflation.
ERC-721 Re-creation
that onERC721Received Callbacks can be attacked during NFT transmission. It is important for markets and staying contracts that cause the NFT relocation to change the main change or pay.
Attack Vector: Malicious contracts can be entered again _safeMint Or manipulate the contract status before the Safetransferff and NFT transmission of the currency is completed.
ERC-777 Re-creation
In the ERC-777 Reentrancy, the transfer hook can break the CEI pattern and operate the price. Advanced token function increases vulnerability surface enemy.
machine: TokensReceived hooks run during transmission, so attackers can restart the contract and manipulate the weekly intermediate transition.
ERC-1155 Re-creation
Multiple score callback (onERC1155Received, onERC1155BatchReceived) Create an attack vector in the blockchain protocol.
Complexity factors: Batch operation requires careful status management because it generates several reinforcement opportunities within a single transaction.
conclusion
All external currencies are potential re -creation vulnerabilities. Follow the CEI pattern, understand the restrictions of Reentrancyguard, and analyze all contract interactions.
The protocol becomes more complicated with cross chain legs and high -end token standards, resulting in new attack patterns. Security priority development is essential.
Modern Defi protocols require comprehensive re -creation analysis beyond a single contract range. When designing a security system, consider the interaction of contracts, token hooks and read -only functions.
I hope this outline will help you create a safer code. All re -creation attacks mentioned above have an article linked deep in the section, so read more details.