Reentrancy
CWE-841: Improper Enforcement of Behavioral Workflow
One of the major dangers of calling external contracts is that they can take over the control flow. In the reentrancy attack (a.k.a. recursive call attack), a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways.
The best practices to avoid Reentrancy weaknesses are:
- Use
transfer()instead ofcontract.call()to transfer Ether to untrusted addresses. - When using low-level calls, make sure all internal state changes are performed before the call is executed.