That is correct, it is called a Reentrancy Attack. In this attack, the contract fails to update its state before sending funds. Therefore, an attacker can continuously call the withdraw function to drain funds. A famous real-world Reentrancy Attack is the DAO attack from 2016.
没错,这就是所谓的重入攻击。在这次攻击中,合约在发送资金之前未能更新其状态。因此,攻击者可以不断调用withdraw函数来抽走资金。现实世界中著名的重入攻击是 2016 年的 DAO 攻击。