📌 Definition of a Reentrancy Attack
Unsafe external calls that allow malicious manipulation of the internal and/or associated external contract state(s).
📚 Types of Reentrancy Attacks
- Single-Function Reentrancy
- Cross-Function Reentrancy
- Cross-Contract Reentrancy
📜 Reentrancy Attacks List
A chronological and (hopefully) complete list of reentrancy attacks to date.
- WETH white hat attack – June 10, 2016 | Victim contract, Exploit contract, Exploit transaction
- The DAO attack – June 17, 2016 | Victim contract, Exploit contract, Exploit transaction
- SpankChain attack – October 9, 2018 | Victim contract, Exploit contract, Exploit transaction
- imBTC Uniswap pool attack – April 18, 2020 | Victim contract, Exploit contract, Exploit transaction
- Lendf.Me attack – April 19, 2020 | Victim contract, Exploit contract, Exploit transaction
- Akropolis attack – November 12, 2020 | Victim contract, Exploit contract, Exploit transaction
- ValueDeFi attack – May 7, 2021 | Victim contract, Exploit contract, Exploit transaction
- Rari Capital attack – May 8, 2021 | Victim contract, Exploit contract, Exploit transaction
- BurgerSwap attack – May 27, 2021 | Victim contract, Exploit contract, Exploit transaction
- Iron Finance attack – June 16, 2021 | Victim contract, Exploit contract, Exploit transaction
- PolyDEX attack – June 20, 2021 | Victim contract, Exploit contract, Exploit transaction
- DeFiPie attack – July 12, 2021 | Victim contract, Exploit contract, Exploit transaction
- Sanshu Inu attack – July 20, 2021 | Victim contract, Exploit contract, Exploit transaction
- XSURGE attack – August 16, 2021 | Victim contract, Exploit contract, Exploit transaction
- C.R.E.A.M. Finance attack – August 30, 2021 | Victim contract, Exploit contract, Exploit transaction
- Siren Protocol attack – September 3, 2021 | Victim contract, Exploit contract, Exploit transaction
- CreatureToadz attack – October 21, 2021 | Victim contract, Exploit contract, Exploit transaction
- Grim Finance attack – December 18, 2021 | Victim contract, Exploit contract, Exploit transaction
- Visor Finance attack – December 21, 2021 | Victim contract, Exploit contract, Exploit transaction
- HypeBears attack – February 3, 2022 | Victim contract, Exploit contract, Exploit transaction
- Bacon Protocol attack – March 5, 2022 | Victim contract, Exploit contract, Exploit transaction
- Paraluni attack – March 13, 2022 | Victim contract, Exploit contract, Exploit transaction
- Hundred Finance attack – March 15, 2022 | Victim contract, Exploit contract, Exploit transaction
- Agave Finance attack – March 15, 2022 | Victim contract, Exploit contract, Exploit transaction
- Revest Finance attack – March 27, 2022 | Victim contract, Exploit contract, Exploit transaction
- Voltage Finance attack – March 31, 2022 | Victim contract, Exploit contract, Exploit transaction
- BNB Brokers attack – April 27, 2022 | Victim contract, Exploit contract, Exploit transaction
- Fei Protocol attack – April 30, 2022 | Victim contract, Exploit contract, Exploit transaction
- Bistroo attack – May 7, 2022 | Victim contract, Exploit contract, Exploit transaction
- Ownly attack – May 10, 2022 | Victim contract, Exploit contract, Exploit transaction
- Omni attack – July 10, 2022 | Victim contract, Exploit contract, Exploit transaction
- Thunder Brawl attack – September 30, 2022 | Victim contract, Exploit contract, Exploit transaction
- QuickSwap Lend attack – October 23, 2022 | Victim contract, Exploit contract, Exploit transaction
- n00dleSwap attack – October 25, 2022 | Victim contract, Exploit contract, Exploit transaction
- DFX Finance attack – November 10, 2022 | Victim contract, Exploit contract, Exploit transaction
- Defrost Finance attack – December 23, 2022 | Victim contract, Exploit contract, Exploit transaction
- Jaypeggers attack – December 29, 2022 | Victim contract, Exploit contract, Exploit transaction
Some of the exploits carried out involve multiple separate transactions as well as multiple victim and exploit contracts. For each attack, I have listed the most affected victim contract, the most critical exploit contract, and the most devastating exploit transaction.
