Some tokens allow reentrant calls on transfer (e.g. ERC777
tokens).
This has been exploited in the wild on multiple occasions
// This is a hook function in ERC777. This is the key for Reentrancy-attack
interface ERC777TokensRecipient {
function tokensReceived(
address operator,
address from,
address to,
uint256 amount,
bytes calldata data,
bytes calldata operatorData
) external;
}
https://github.com/d-xo/weird-erc20#reentrant-calls