Question 1

How does a reentrancy attack work?

Accepted Answer

When a vulnerable contract sends ETH via msg.sender.call{value: amount}(''), the attacker's receive() function is triggered. If the contract hasn't updated its state yet, the attacker's receive() function can call withdraw() again, passing the balance check because deposits still show the original amount. This creates a recursive loop that drains the vault.

Question 2

What is the Checks-Effects-Interactions pattern?

Accepted Answer

CEI is the simplest reentrancy fix: (1) CHECK conditions (require statements), (2) EFFECT state changes (update balances), then (3) INTERACT with external contracts (send ETH). By updating state before making external calls, any re-entrant call sees the updated state and fails.

Question 3

Can reentrancy still happen with modern Solidity?

Accepted Answer

Yes. While Solidity 0.8+ added overflow protection, reentrancy is a logic vulnerability, not a compiler issue. New variants like read-only reentrancy, cross-function reentrancy, and cross-chain reentrancy continue to cause losses. The 2023 Curve Finance hack ($70M) was caused by a Vyper compiler bug in reentrancy locks.

Reentrancy Attack Simulator