Read-Only Reentrancy
Read-only reentrancy exploits external calls that read stale state from another contract during a callback, enabling price manipulation or accounting errors without directly modifying the vulnerable contract.
In Depth
Read-only reentrancy occurs when Contract A makes an external call that triggers a callback, and during that callback, Contract B reads state from Contract A that hasn't been updated yet. Unlike classic reentrancy, the attacker doesn't re-enter the vulnerable function — they call a different contract that reads inconsistent state. This was famously exploited in Curve pools where a callback during withdrawal let attackers read stale virtual prices. The attack is harder to detect because the vulnerable contract's view functions look safe in isolation — the danger only appears in the cross-contract interaction. Prevention includes updating state before external calls (checks-effects-interactions), reentrancy locks that cover view functions, and invariant testing that checks state consistency during callbacks. See reentrancy in 2025 for full coverage.
Frequently Asked Questions
What is read-only reentrancy?
Read-only reentrancy happens when an attacker exploits a callback to read stale state from another contract. The attacker doesn't re-enter the original function — they call a different contract that reads inconsistent data during the callback window.
How is read-only reentrancy different from classic reentrancy?
Classic reentrancy re-enters a state-modifying function to drain funds. Read-only reentrancy reads stale state from view functions during a callback, causing other contracts to make decisions based on incorrect data. It's harder to detect because the view functions look safe individually.