Walk me through how a reentrancy vulnerability happens in a Solidity contract and how you'd defend against it in current practice.

technical-conceptual · Mid level · software-engineering, blockchain-web3

What the interviewer is really asking

Assesses practical secure-coding judgment: whether the candidate understands the root cause (state mutated after an external call) and applies layered, current defenses rather than reciting one buzzword.

What to say

What to avoid

Example answers

Strong: Reentrancy happens when you make an external call before updating state — the classic is sending ETH in a withdraw before zeroing the user's balance, so the recipient's fallback calls withdraw again while the balance still looks full. My primary fix is checks-effects-interactions: check, then zero the balance, then transfer. On top of that I add a nonReentrant guard for defense-in-depth — modern ones use transient storage so the lock is cheap — and I think about cross-function and read-only reentrancy, because a single function's guard won't protect a view another contract reads mid-call.

Weak: You add the nonReentrant modifier from OpenZeppelin to the function and that stops reentrancy. As long as you use transfer instead of call it's also safe because transfer only forwards 2300 gas.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.