Re-entry Attack

     Within the contect of cryptocurrency and blockchain technology, a “re-entry attack” or “re-entrance attack”, is a cyber attack on a smart contract that is deployed to a Turing complete blockchain. The attack is based on poorly written contract code that leave a “back-door” vulnerability.

     Due to the immutable and permanent nature of blockchain, whenever a smart contract is deployed it cannot be altered. The stakes of writing secure, accurate code is extremely high (especially when pertaining to finances). If the code in a smart contract is written poorly then a malicious actor may be able to execute the code pre-maturely. By executing code pre-maturely, a hacker can run a small portion of the code and immediately run another instance on top of the partially running code. They can re-enter the smart contract as it is being executed.

     The most famous example from the industry is the DAO hack that happened on the Ethereum blockchain, which ended up splitting the chain and funneling funds from Ethereum to Ethereum Classic. What happened was, as the hacker 

1) The hacker ran the “splitDAO” function of the contract;

2) Let it executeuntill the  “withdrawRewardFor(msg.sender)” function. (which let the hacker withdraw the specified amount of ETH from the DAO)

3) However, the program is re-run before it can reach the line of code called “balances[msg.sender] = 0” which would set the hacker’s balance in the smart contract to 0.

In even simpler terms, the attacker was able to “reenter” the contract before it could finish thus allowing him to drain money from the contract by recursively calling the function.