Oddbean new post about | logout
 The before-after pattern is used to check the vault balance before and after the deposit, to determine exactly how much the vault has received.

While the first deposit is ongoing, what will happen if we can make the second deposit?

For example, suppose you deposit 10 tokens, but before you get to the 'after' you deposit another 10 tokens.

The second deposit will see an amount of 10 in the before-after as nothing else occurred here. However, the first deposit sees the increase of its own 10 tokens but also those 10 tokens of the second deposit. The vault therefore thinks it received another 20 tokens.

This mistake leads to reentrancy.

```
function depositFor(address token, uint256 _amount, address user) public{
  ...
  uint256 _pool = balance();
  IERC20(token).safeTransferFrrom(msg.sender, address(this), _amount);
  earn();
  uint256 _after = balance();
  ...  
}
```

You can easily write a rule for this pattern with the @semgrep tool and find all similar cases.