Reentrancy is the original DeFi vulnerability, the one that took down The DAO in 2016 and led directly to the Ethereum / Ethereum Classic split.
The pattern: a contract calls an external address (e.g., to send ETH or tokens), and the receiving contract calls back into the original function before the first call has finished updating state. The attacker drains funds by re-entering the same function repeatedly, each time before the balance is decremented.
The fix is the checks-effects-interactions pattern: validate inputs, update state, then make external calls. Modern Solidity also offers ReentrancyGuard modifiers, but those treat the symptom, not the cause.
Reentrancy is not just about ETH transfers. Cross-function reentrancy, read-only reentrancy, and cross-contract reentrancy are all live attack patterns. Any pattern where state can be observed or modified during an external call is a candidate.