Reentrancy, reexamined

25 May 2024

Reentrancy is a buzzword in web3 security that everyone seems to talk about, but acquiring the knowledge to discuss it intimately can be slightly difficult.

Explanation (with diagram)

Reentrancy is only an issue if there is a call to an external contract that allows the user to gain control of code execution. this is somewhat similar to vulnerabilities that can lead to code execution in traditional security, like a buffer overflow. Ether transfers, as well as callbacks in tokens like ERC721, ERC777, and ERC1155 are common reentrancy targets. Other reentrancy cases include where you see address.functioncall() where address is specified by user input. This allows the user to choose the external contract to call (see line 224 of Gauge.sol).

I don’t know if that article explains it best, but you could look at reentrancy findings in public audit reports and cross reference them with the source code to get a better idea of real world situations where it’s a problem.

Everyone uses ETH transfer example

This samczsun video is good about discussing the unsafe external calls: https://youtu.be/95_RmIAqRy0?t=349

Good example of non-standard re-entrancy vuln: https://github.com/code-423n4/2022-01-sandclock-findings/issues/32 Also: https://github.com/code-423n4/2022-01-sandclock-findings/issues/3 Another: https://youtu.be/95_RmIAqRy0?t=1016 ^Need to be thinking 1. Can a malicious input be provided to external callback to allow attacker-controlled code execution? 2. Even if malicious input cannot be provided, does an existing trusted input (e.g. ERC721, ERC777) enable a callback hook?

Reentrancy “types”

1. Reentry to the same function (similar to a loop, but some state variable changes are skipped)
2. Reentry to a different function (CREAM hack)

Real world examples

code4rena examples: https://github.com/code-423n4/2022-01-timeswap-findings/issues/6 https://github.com/code-423n4/2022-04-jpegd-findings/issues/81 https://github.com/code-423n4/2022-05-rubicon-findings/issues/350 https://github.com/code-423n4/2021-08-notional-findings/issues/10

Tokens with callbacks

Can ERC20 have a callback?

ERC777 quirk

https://twitter.com/danielvf/status/1514611664091422721?cxt=HHwWgoCprZTS_YQqAAAA

https://media.dedaub.com/latent-bugs-in-billion-plus-dollar-code-c2e67a25b689

Comparison to Slither

Under the hood:

• py-solc vs. solc-select
• solc vs. crytic-compile

Concluding Remarks