📌 Definition of a Reentrancy Attack
Unsafe external call(s) that allow(s) malicious manipulation of the internal and/or associated external contract state(s).
📚 Types of Reentrancy Attacks
- Single-Function Reentrancy
- Cross-Function Reentrancy
- Cross-Contract Reentrancy
- Cross-Chain Reentrancy
- Read-Only Reentrancy
📜 Reentrancy Attacks List
A chronological and (hopefully) complete list of reentrancy attacks to date.
- WETH white hat attack – 10 June 2016 | Victim contract, Exploit contract, Exploit transaction
- The DAO attack – 17 June 2016 | Victim contract, Exploit contract, Exploit transaction
- SpankChain attack – 9 October 2018 | Victim contract, Exploit contract, Exploit transaction
- imBTC Uniswap pool attack – 18 April 2020 | Victim contract, Exploit contract, Exploit transaction
- Lendf.Me attack – 19 April 2020 | Victim contract, Exploit contract, Exploit transaction
- Akropolis attack – 12 November 2020 | Victim contract, Exploit contract, Exploit transaction
- ValueDeFi attack – 7 May 2021 | Victim contract, Exploit contract, Exploit transaction
- Rari Capital attack – 8 May 2021 | Victim contract, Exploit contract, Exploit transaction
- BurgerSwap attack – 27 May 2021 | Victim contract, Exploit contract, Exploit transaction
- Iron Finance attack – 16 June 2021 | Victim contract, Exploit contract, Exploit transaction
- PolyDEX attack – 20 June 2021 | Victim contract, Exploit contract, Exploit transaction
- DeFiPie attack – 12 July 2021 | Victim contract, Exploit contract, Exploit transaction
- Sanshu Inu attack – 20 July 2021 | Victim contract, Exploit contract, Exploit transaction
- XSURGE attack – 16 August 2021 | Victim contract, Exploit contract, Exploit transaction
- C.R.E.A.M. Finance attack – 30 August 2021 | Victim contract, Exploit contract, Exploit transaction
- Siren Protocol attack1 – 3 September 2021 | Victim contract, Exploit contract, Exploit transaction
- CreatureToadz attack – 21 October 2021 | Victim contract, Exploit contract, Exploit transaction
- Grim Finance attack – 18 December 2021 | Victim contract, Exploit contract, Exploit transaction
- Visor Finance attack – 21 December 2021 | Victim contract, Exploit contract, Exploit transaction
- HypeBears attack – 3 February 2022 | Victim contract, Exploit contract, Exploit transaction
- Bacon Protocol attack – 5 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Paraluni attack – 13 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Agave Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Hundred Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Revest Finance attack – 27 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Voltage Finance attack – 31 March 2022 | Victim contract, Exploit contract, Exploit transaction
- BNB Brokers attack – 27 April 2022 | Victim contract, Exploit contract, Exploit transaction
- Fei Protocol attack – 30 April 2022 | Victim contract, Exploit contract, Exploit transaction
- Bistroo attack – 7 May 2022 | Victim contract, Exploit contract, Exploit transaction
- Ownly attack – 10 May 2022 | Victim contract, Exploit contract, Exploit transaction
- Omni attack – 10 July 2022 | Victim contract, Exploit contract, Exploit transaction
- Stader Labs NearX attack – 16 August 2022 | Victim contract, Exploit contract2, Exploit transaction
- Thunder Brawl attack – 30 September 2022 | Victim contract, Exploit contract, Exploit transaction
- QuickSwap Lend attack – 23 October 2022 | Victim contract, Exploit contract, Exploit transaction
- n00dleSwap attack – 25 October 2022 | Victim contract, Exploit contract, Exploit transaction
- DFX Finance attack – 10 November 2022 | Victim contract, Exploit contract, Exploit transaction
- Defrost Finance attack – 23 December 2022 | Victim contract, Exploit contract, Exploit transaction
- Jaypeggers attack – 29 December 2022 | Victim contract, Exploit contract, Exploit transaction
- Midas Capital attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
- 2Pi Network attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
- Abracadabra Money white hat attack – 16 January 2023 | Victim contract, Exploit contract, Exploit transaction
- Orion Protocol attack – 2 February 2023 | Victim contract, Exploit contract, Exploit transaction
- dForce Network attack3 – 9 February 2023 | Victim contract, Exploit contract, Exploit transaction
- Dynamic attack – 22 February 2023 | Victim contract, Exploit contract, Exploit transaction
- Sentiment attack – 4 April 2023 | Victim contract4, Exploit contract, Exploit transaction
- Paribus attack – 11 April 2023 | Victim contract5, Exploit contract, Exploit transaction
- MuratiAI attack – 6 June 2023 | Victim contract, Exploit contract, Exploit transaction
- Sturdy attack – 12 June 2023 | Victim contract, Exploit contract, Exploit transaction
- Arcadia Finance attack6 – 10 July 2023 | Victim contract, Exploit contract, Exploit transaction
- Libertify attack7 – 11 July 2023 | Victim contract, Exploit contract, Exploit transaction
- Conic Finance attack – 21 July 2023 | Victim contract, Exploit contract, Exploit transaction
- EraLend attack – 25 July 2023 | Victim contract, Exploit contract, Exploit transaction
- Curve attack8 – 30 July 2023 | Victim contract, Exploit contract, Exploit transaction
- Earning.Farm attack – 9 August 2023 | Victim contract, Exploit contract, Exploit transaction
- Defiway attack – 3 October 2023 | Victim contract, Exploit contract, Exploit transaction
- Stars Arena attack – 7 October 2023 | Victim contract, Exploit contract, Exploit transaction
- 0x0 attack – 27 October 2023 | Victim contract, Exploit contract, Exploit transaction
- Peapods Finance attack – 13 December 2023 | Victim contract, Exploit contract, Exploit transaction
- NFT Trader attack – 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
- GoodDollar attack – 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
- Nebula Revelation attack – 25 January 2024 | Victim contract, Exploit contract, Exploit transaction
- Barley Finance attack – 28 January 2024 | Victim contract, Exploit contract, Exploit transaction
- ChainPaint attack – 12 February 2024 | Victim contract, Exploit contract, Exploit transaction
- Rugged Art attack – 19 February 2024 | Victim contract, Exploit contract, Exploit transaction
- The Smoofs attack – 28 February 2024 | Victim contract, Exploit contract, Exploit transaction
Some of the exploits carried out involve multiple separate transactions as well as multiple victim and exploit contracts. For each attack, I have listed the most affected victim contract, the most critical exploit contract, and the most devastating exploit transaction.
Footnotes
-
To prevent the article from constantly reloading, deactivate JavaScript in your browser. ↩
-
We list the attacker's address here for the sake of completeness, but technically the attack was executed with a Near-specific transaction type called "Batch Transaction" and not with a specific exploit contract. ↩
-
We list the victim contract, the exploit contract, and the exploit transaction on Arbitrum. However, the same exploit was carried out on Optimism with almost the same amount of loss: Victim contract, Exploit contract, Exploit transaction. ↩
-
The same exploit hit another victim with almost the same amount of loss: Victim contract. ↩
-
The same exploit hit two other victims with almost the same amount of loss: Victim contract 2, Victim contract 3. ↩
-
We list the victim contract, the exploit contract, and the exploit transaction on Optimism. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction. ↩
-
We list the victim contract, the exploit contract, and the exploit transaction on Polygon. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction. ↩
-
The technical post-mortem on the reentrancy lock vulnerability from Vyper can be found here. ↩