How Did Lendf.Me Lose $25 Million to A Reentrancy Attack? [An Analysis]

Lendf.me is a DeFi app utilizing smart contracts in order to provide instant, decentralized lending. The platform suffered an attack causing the loss of $25m in cryptocurrency on the day of April 19, 2020. The attack took place on the Ethereum main-net smart contract named MoneyMarket. The main purpose of the MoneyMarket.supply() function is to handle token deposits. After the external call the function is updating the user’s deposited balance (lines 1599–1600)