Smart contract security is all the rage after the DAO hack. veox has just won a bounty by finding an attack vector in seemingly-tidy, condition-oriented contract code. Here’s a more detailed explanation of the vulnerability and its context.

Roughly speaking, the attacker starts out by pretending to withdraw ether, lowering the contract’s idea of how much it holds, then reentrantly deposits the same ether back and transfers it to a second address. Now that the contract’s balance is in excess of what the contract thinks it holds, all of the excess can be drained.

“Oy vey” is about all I could muster after looking at the brilliant exploit. Reasoning in the presence of reentrant calls is quite difficult. A 31-line simple token contract, written with a defensive pattern where invariants are diligently checked on function entry, ends up being prone to reentrancy attacks.