How does putting 'checks first, then changes, then outside calls' help stop a repeating attack in a smart contract?

The principle of "checks first, then changes, then outside calls" is a crucial security pattern in smart contract development designed to prevent re-entrancy attacks. A re-entrancy attack, also known as a repeating attack, occurs when an external contract or address can call back into the vulnerable contract before the original transaction has completed and updated its internal state. This allows the attacker to repeatedly execute a function, often withdrawing funds multiple times from a single deposit, before the contract's balance or other critical state variables are correctly reduced. For example, if a contract sends Ether to a user and then updates its internal record of that user's balance, a malicious user's contract could execute the withdrawal function again during the brief moment between receiving the Ether and the original contract updating the balance, effectively withdrawing more than they are entitled to. The pattern prevents this by strictly enforcing an order of operations.