read-only reentrancy exploits view functions to cause other protocols to read inconsistent state

# read-only reentrancy exploits view functions to cause other protocols to read inconsistent state Unlike classic reentrancy where the attacker directly drains the target contract, read-only reentrancy operates indirectly. The attacker re-enters a view function during a state-changing operation, causing it to return stale values. Other protocols that call this view function to price assets or check collateral ratios then make decisions based on incorrect data. This pattern is amplified by DeFi composability — one protocol's view function inconsistency cascades through every downstream consumer. Since [[reentrancy is possible whenever external calls precede state updates]], the [[checks-effects-interactions pattern prevents reentrancy by updating state before external calls|checks-effects-interactions pattern]] mitigates this, but many developers do not apply CEI discipline to view functions. The impact resembles [[flash loan oracle manipulation enables price feed attacks against defi protocols|flash loan oracle manipulation]] — both cause downstream protocols to make decisions based on temporarily incorrect data, though the mechanism differs (reentrancy mid-state vs. price skewing). Since [[solidity 0.8.31 deprecates send and transfer signaling the move away from fixed gas stipend patterns|send and transfer are being deprecated]], the move to unrestricted `.call{value:}()` gives recipients more gas to execute during callbacks, potentially increasing the attack surface for read-only reentrancy through ERC-777 hooks and similar callback patterns. --- Relevant Notes: - [[reentrancy is possible whenever external calls precede state updates]] — the general reentrancy mechanism this extends - [[flash loan oracle manipulation enables price feed attacks against defi protocols]] — a related pattern exploiting stale data through different means - [[solidity 0.8.31 deprecates send and transfer signaling the move away from fixed gas stipend patterns]] — deprecation of gas-limited transfers widens the callback attack surface - [[the dForce exploit demonstrated cross-contract read-only reentrancy where stale Curve get_virtual_price values enabled artificial liquidation of lending positions]] — concrete $3.7M instance of this pattern where stale Curve get_virtual_price values enabled artificial liquidations Topics: - [[vulnerability-patterns]]