Back to Course

3. Advanced Course

0% Complete
0/0 Steps
  1. 1. What is Taproot?
  2. 2. Blockchain bridges – what are they?
  3. 3. What is Ethereum Plasma?
  4. 4. What is Ethereum Casper?
  5. 5. What is Zk-SNARK and Zk-STARK? 
  6. 6. What is Selfish Mining? 
  7. 7. What is spoofing in the cryptocurrency market? 
  8. 8. Schnorr signatures - what are they? 
  9. 9. MimbleWimble - what is it? 
  10. 10. What is digital property rights in NFT?
  11. 11. What are ETFs and what role do they play in the cryptocurrency market? 
  12. 12. How to verify a cryptocurrency project – cryptocurrency tokenomics 
  13. 13. What is the 51% attack on blockchain?
  14. 14. What is DAO, and how does it work?
  15. 15. Zero-knowledge proof – a protocol that respects privacy 
  16. 16. What is EOSREX?
  17. 17. What is Proof of Elapsed Time (PoET)?
  18. 18. Mirror Protocol – what it is? 
  19. 19. What are synthetic assets? 
  20. 20. How to create your own NFT? 
  21. 21. Definition of DeFi, and what are its liquidations?
  22. 22. New identity system - Polygon ID
  23. 23. Ethereum Foundation and the Scroll protocol - what is it?
  24. 24. What is Byzantine fault tolerance in blockchain technology?
  25. 25. Scalability of blockchain technology - what is it?
  26. 26. Interchain Security - new Cosmos (ATOM) protocol
  27. 27. Coin Mixing vs. Coin Join - definition, opportunities, and threats
  28. 28. What is Ethereum Virtual Machine (EVM) and how does it work?
  29. 29. Soulbound Tokens - what are they, and how do they work?
  30. 30. Definition of LIDO - what is it?
  31. 31. What are Threshold Signatures, and how do they work?
  32. 32. Blockchain technology and cyberattacks.
  33. 33. Bitcoin script - what it is, and what you should know about it.
  34. 34. What is zkEVM, and what are its basic features?
  35. 35. Do confidential transactions on blockchain exist? What is a Confidential Transaction?
  36. 36. Algorithmic stablecoins - everything you should know about them.
  37. 37. Polygon Zk Rollups ZKP - what should you know about it?
  38. 38. What is Web3 Infura?
  39. 39. Mantle - Ethereum L2 scalability - how does it work?
  40. 40. What is the NEAR Rainbow Bridge?
  41. 41. Liquid Staking Ethereum and LSD tokens. What do you need to know about it?
  42. 42. Top 10 blockchain oracles. How do they work? How do they differ?
  43. 43. What are Web3.js and Ether.js? What are the main differences between them?
  44. 44. What is StarkWare, and recursive validity proofs
  45. 45. Quant Network: scalability of the future
  46. 46. Polygon zkEVM - everything you need to know
  47. 47. What is Optimism (OP), and how do its roll-ups work?
  48. 48. What are RPC nodes, and how do they work?
  49. 49. SEI Network: everything you need to know about the Tier 1 solution for DeFi
  50. 50. Types of Proof-of-Stake Consensus Mechanisms: DPoS, LPoS and BPoS
  51. 51. Bedrock: the epileptic curve that ensures security!
  52. 52. What is Tendermint, and how does it work?
  53. 53. Pantos: how to solve the problem of token transfer between blockchains?
  54. 54. What is asymmetric encryption?
  55. 55. Base-58 Function in Cryptocurrencies
  56. 56. What Is the Nostr Protocol and How Does It Work?
  57. 57. What Is the XDAI Bridge and How Does It Work?
  58. 58. Solidity vs. Rust: What Are the Differences Between These Programming Languages?
  59. 59. What Is a Real-Time Operating System (RTOS)?
  60. 60. What Is the Ethereum Rinkeby Testnet and How Does It Work?
  61. 61. What Is Probabilistic Encryption?
  62. 62. What is a Pinata in Web 3? We explain!
  63. 63. What Is EIP-4337? Will Ethereum Account Abstraction Change Web3 Forever?
  64. 64. What are smart contract audits? Which companies are involved?
  65. 65. How does the AirGapped wallet work?
  66. 66. What is proto-danksharding (EIP-4844) on Ethereum?
  67. 67. What is decentralised storage and how does it work?
  68. 68. How to Recover Cryptocurrencies Sent to the Wrong Address or Network: A Practical Guide
  69. 69. MPC Wallet and Multilateral Computing: Innovative Technology for Privacy and Security
  70. 70. Threshold signature in cryptography: an advanced signing technique!
  71. 71. Vanity address in cryptocurrencies: what is it and what are its characteristics?
  72. 72. Reentrancy Attack on smart contracts: a threat to blockchain security!
  73. 73. Slither: a static analyser for smart contracts!
  74. 74. Sandwich Attack at DeFi: explanation and risks!
  75. 75. Blockchain RPC for Web3: A key technology in the world of decentralized finance!
  76. 76. Re-staking: the benefits of re-posting in staking!
  77. 77. Base: Evolving cryptocurrency transactions with a tier-2 solution from Coinbase
  78. 78. IPFS: A new era of decentralized data storage
  79. 79. Typical vulnerabilities and bridge security in blockchain technology
  80. 80. JumpNet - Ethereum's new sidechain
3. Advanced Course 72. Reentrancy Attack on smart contracts: a threat to blockchain security!
Lesson 72 of 80
In Progress

72. Reentrancy Attack on smart contracts: a threat to blockchain security!

Blockchain is a revolutionary technology that has introduced many innovations in finance and beyond. However, like any technology, it is vulnerable to various threats, including the so-called Reentrancy Attack on smart contracts. In today’s lesson, we will cover exactly what a re-entry attack is, how it works and how you can defend against it.

What is Reentrancy Attack? Definition.

As the name suggests, reentrancy ro a type of attack that can occur in intelligent contracts.From our previous lessons, you know that smart contracts allow untrusted external code to be executed as part of the execution of a given contract. This situation can occur when the intelligent contract itself calls an external contract, and this external contract subsequently calls the original contract, causing an endless loop to run.

The reentrancy attack exploits such vulnerabilities in smart contracts and allows an attacker to call a given function multiple times in intelligent contracts. This results in an endless loop of activity and the theft of the funds involved.

An example of such an attack? Here you go. It could be a contract in intelligent contracts that allows users to deposit funds and then withdraw them, only at a later date. In this case, the hacker can call the withdrawal function many times in a row, long before the withdrawal function is called. In this way, he will effectively steal the funds from the contract in question.

We will base the second example, to further understand what a re-entry attack is, on cryptocurrencies. Imagine a smart contract that allows users to send cryptocurrencies to each other. This contract could include a function to transfer funds to other users. However, a problem arises when the function for transferring funds is not properly secured.

An attacker, exploiting this vulnerability, can send a transaction to the contract that calls the funds transfer function and then immediately call the same function before the first call is completed. As a result, the contract does not have time to update user account balances between the two function calls, allowing the attacker to withdraw funds from the contract multiple times.

How does the re-entry attack work?

In practice, the reentrancy attack works as follows:

  1. The hacker finds a intelligent contract that is responsible for depositing and withdrawing funds at a later date.
  2. The attacker creates a malicious smart contract that loops and calls the escrow function of the actual smart contract.
  3. The hacker will then call the ‘withdraw’ function of the specified contract and withdraw the deposited funds.
  4. Because a given contract’s deposit function is not adequately protected against this type of attack, the hacker will repeatedly call the deposit function before calling the payout function. As a result, he will effectively steal funds from the smart contract.
  5. The attacker will repeat the whole process until he has not stolen as many funds as he wants.

Types of Reentrancy Attack

If you think there is only one type of re-entry attack, you are mistaken. There are several types in the cryptocurrency world. Here they are:

  1. Frontrunning attack. This is an example of an attack in which a hacker tracks the blockchain for transactions made that trigger a vulnerable contract. When the attacker catches such a vulnerability, he quickly sends a transaction that triggers the same contract before the original one is processed.
  2. Reentrancy Attack depending on the timestamp. This is a type of attack in which a hacker manipulates the time of a block. As a result, he causes the vulnerable contract to be executed in a way that benefits him (for example, stealing funds).
  3. Recursive call. A method in which an attacker calls a susceptible smart contract multiple times in a row, Thus causing the contract to execute a previously unintended function multiple times in a row.
  4. Cross-Function Call attack. In this case, the hacker calls multiple functions in a vulnerable contract. All, of course, in a specific order in order to trigger a previously unintended action that will benefit him.

How do we protect smart contracts from these types of attacks?

To protect against this type of attack, it is best to use a mutex blocker or mutual exclusion function. The lock prevents the same function from being called multiple times at the same time.

You can also use a protection condition. If such a condition is set on your smart contract, it will not make any, external call and will prevent a reentrant attack.

Another way to prevent re-entry attacks is to check the depth of the call stack. This way you make sure that the contract is not recursively called in any way. And if the contract exceeds a certain depth threshold, the smart contract will stop being executed.

To protect intelligent contracts from Reentrancy Attack you can also use the “require” instruction. This will check the state of a given contract before allowing the function to be executed.

Continuous monitoring of intelligent contracts and updating them is also a good way to protect yourself.

However, it is important for you to remember that these are only some of the ways to protect yourself. To fully protect against re-entry attacks, smart contracts must be audited by industry experts. On top of this, they are extensively tested, further scaling their security.

Examples of re-entry attacks on smart contracts

  1. An attack on the lending protocol Lendf.me. The decentralised platform was built on the blockchain Ethereum. The attack took place in 2019, when the attacker discovered a vulnerability in intelligent contract. The vulnerability allowed him to borrow and repay the same loan multiple times. The attacker simultaneously manipulated the price of the underlying assets and, with this procedure, increased the amounts of his loans. As a result, he stole cryptocurrency assets worth more than US$350,000.
  2. Siren Protocol. This is another lending platform, built on the blockchain Ethereum. The attacker did exactly the same thing as with Lendf.me. The result? Multiple loans and repayments on the same loan and the theft of more than US$30 million worth of cryptocurrencies.
  3. BurgerSwap. It is a decentralised exchange, built on the Binance Smart Chain. The attack took place in 2021, where the attacker exploited a vulnerability in intelligent contracts and borrowed and repaid the same loan multiple times. He also stole assets worth more than $2 million from the platform.
  4. DAO Hack. This was an attack on a decentralised investment fund built on the blockchain Ethereum. The hacker discovered a vulnerability inthe DAO contract and repeatedly called the ‘split’ function. Unaware investors withdrew funds from the DAO before the smart contract updated internal balances. Using this vulnerability, the hacker repeatedly called the split function and emptied the organisation of Ethero worth approximately US$50 million.
  5. Cream Finance. DeFi platform that allows users to borrow assets. The attack on intelligent contract occurred in 2020, where the attacker repeatedly borrowed and repaid the same loan. At the same time, as in the other cases, he manipulated the prices of the underlying assets. The procedure allowed him to steal funds worth more than US$30 million.

Summary

The Re-entry Attack is a serious threat tosmart contracts on blockchains. Understanding how this type of attack works, and taking the appropriate precautions and programming practices, is key to protecting smart contracts from potential attacks. Protecting against re-entry attacks is a critical part of building a secure and trustworthy blockchain ecosystem.

Complete today’s lesson!

  1. What is the 51% attack on blockchain?
  2. What is Byzantine fault tolerance in blockchain technology?
  3. Blockchain technology and cyber attacks.
  4. Do confidential transactions on blockchain exist?