📌 Definition of a Reentrancy Attack
Unsafe external call(s) that allow(s) malicious manipulation of the internal and/or associated external contract state(s).
📚 Types of Reentrancy Attacks
- Single-Function Reentrancy
- Cross-Function Reentrancy
- Cross-Contract Reentrancy
- Cross-Chain Reentrancy
- Read-Only Reentrancy
📜 Reentrancy Attacks List
A chronological and (hopefully) complete list of reentrancy attacks to date.
- WETH white hat attack – 10 June 2016 | Victim contract, Exploit contract, Exploit transaction
- The DAO attack – 17 June 2016 | Victim contract, Exploit contract, Exploit transaction
- SpankChain attack – 9 October 2018 | Victim contract, Exploit contract, Exploit transaction
- imBTC Uniswap pool attack – 18 April 2020 | Victim contract, Exploit contract, Exploit transaction
- Lendf.Me attack – 19 April 2020 | Victim contract, Exploit contract, Exploit transaction
- Akropolis attack – 12 November 2020 | Victim contract, Exploit contract, Exploit transaction
- ValueDeFi attack – 7 May 2021 | Victim contract, Exploit contract, Exploit transaction
- Rari Capital attack – 8 May 2021 | Victim contract, Exploit contract, Exploit transaction
- BurgerSwap attack – 27 May 2021 | Victim contract, Exploit contract, Exploit transaction
- Iron Finance attack – 16 June 2021 | Victim contract, Exploit contract, Exploit transaction
- PolyDEX attack – 20 June 2021 | Victim contract, Exploit contract, Exploit transaction
- DeFiPie attack – 12 July 2021 | Victim contract, Exploit contract, Exploit transaction
- Sanshu Inu attack – 20 July 2021 | Victim contract, Exploit contract, Exploit transaction
- XSURGE attack – 16 August 2021 | Victim contract, Exploit contract, Exploit transaction
- C.R.E.A.M. Finance attack – 30 August 2021 | Victim contract, Exploit contract, Exploit transaction
- Siren Protocol attack1 – 3 September 2021 | Victim contract, Exploit contract, Exploit transaction
- CreatureToadz attack – 21 October 2021 | Victim contract, Exploit contract, Exploit transaction
- Grim Finance attack – 18 December 2021 | Victim contract, Exploit contract, Exploit transaction
- Visor Finance attack – 21 December 2021 | Victim contract, Exploit contract, Exploit transaction
- HypeBears attack – 3 February 2022 | Victim contract, Exploit contract, Exploit transaction
- Bacon Protocol attack – 5 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Paraluni attack – 13 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Agave Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Hundred Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Revest Finance attack – 27 March 2022 | Victim contract, Exploit contract, Exploit transaction
- Voltage Finance attack – 31 March 2022 | Victim contract, Exploit contract, Exploit transaction
- BNB Brokers attack – 27 April 2022 | Victim contract, Exploit contract, Exploit transaction
- Fei Protocol attack – 30 April 2022 | Victim contract, Exploit contract, Exploit transaction
- Bistroo attack – 7 May 2022 | Victim contract, Exploit contract, Exploit transaction
- Ownly attack – 10 May 2022 | Victim contract, Exploit contract, Exploit transaction
- Omni attack – 10 July 2022 | Victim contract, Exploit contract, Exploit transaction
- Stader Labs NearX attack – 16 August 2022 | Victim contract, Exploit contract2, Exploit transaction
- Thunder Brawl attack – 30 September 2022 | Victim contract, Exploit contract, Exploit transaction
- QuickSwap Lend attack – 23 October 2022 | Victim contract, Exploit contract, Exploit transaction
- n00dleSwap attack – 25 October 2022 | Victim contract, Exploit contract, Exploit transaction
- DFX Finance attack – 10 November 2022 | Victim contract, Exploit contract, Exploit transaction
- Defrost Finance attack – 23 December 2022 | Victim contract, Exploit contract, Exploit transaction
- Jaypeggers attack – 29 December 2022 | Victim contract, Exploit contract, Exploit transaction
- Midas Capital attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
- 2Pi Network attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
- Abracadabra Money white hat attack – 16 January 2023 | Victim contract, Exploit contract, Exploit transaction
- Orion Protocol attack – 2 February 2023 | Victim contract, Exploit contract, Exploit transaction
- dForce Network attack3 – 9 February 2023 | Victim contract, Exploit contract, Exploit transaction
- Dynamic attack – 22 February 2023 | Victim contract, Exploit contract, Exploit transaction
- Sentiment attack – 4 April 2023 | Victim contract4, Exploit contract, Exploit transaction
Some of the exploits carried out involve multiple separate transactions as well as multiple victim and exploit contracts. For each attack, I have listed the most affected victim contract, the most critical exploit contract, and the most devastating exploit transaction.
Footnotes
-
To prevent the article from constantly reloading, deactivate JavaScript in your browser. ↩
-
We list the attacker's address here for the sake of completeness, but technically the attack was executed with a Near-specific transaction type called "Batch Transaction" and not with a specific exploit contract. ↩
-
We list the victim contract, the exploit contract, and the exploit transaction on Arbitrum. However, the same exploit was carried out on Optimism with almost the same amount of loss: Victim contract, Exploit contract, Exploit transaction. ↩
-
The same exploit hit another victim with almost the same amount of loss: Victim contract. ↩