diff --git a/contracts/ethPool.sol b/contracts/ethPool.sol
index a3122c7..2117cb3 100644
--- a/contracts/ethPool.sol
+++ b/contracts/ethPool.sol
@@ -5,6 +5,7 @@ pragma experimental ABIEncoderV2;
 import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import "@openzeppelin/contracts/token/ERC20/ERC20Pausable.sol";
+import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
 
 import { DSMath } from "./libs/safeMath.sol";
 
@@ -31,7 +32,7 @@ interface RateInterface {
   function getTotalToken() external returns (uint totalUnderlyingTkn);
 }
 
-contract PoolToken is ERC20Pausable, DSMath {
+contract PoolToken is ReentrancyGuard, ERC20Pausable, DSMath {
   event LogDeploy(uint amount);
   event LogExchangeRate(uint exchangeRate, uint tokenBalance, uint insuranceAmt);
   event LogSettle(uint settleTime);
@@ -114,7 +115,7 @@ contract PoolToken is ERC20Pausable, DSMath {
     emit LogDeposit(tknAmt, _mintAmt);
   }
 
-  function withdraw(uint tknAmt, address to) external whenNotPaused returns (uint _tknAmt) {
+  function withdraw(uint tknAmt, address to) external nonReentrant whenNotPaused returns (uint _tknAmt) {
     uint poolBal = address(this).balance;
     require(tknAmt <= poolBal, "not-enough-liquidity-available");
     uint _bal = balanceOf(msg.sender);
diff --git a/contracts/tokenPool.sol b/contracts/tokenPool.sol
index c4b5504..326c56b 100644
--- a/contracts/tokenPool.sol
+++ b/contracts/tokenPool.sol
@@ -5,6 +5,7 @@ pragma experimental ABIEncoderV2;
 import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import "@openzeppelin/contracts/token/ERC20/SafeERC20.sol";
 import "@openzeppelin/contracts/token/ERC20/ERC20Pausable.sol";
+import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
 
 import { DSMath } from "./libs/safeMath.sol";
 
@@ -29,7 +30,7 @@ interface RateInterface {
   function getTotalToken() external returns (uint totalUnderlyingTkn);
 }
 
-contract PoolToken is DSMath, ERC20Pausable {
+contract PoolToken is ReentrancyGuard, DSMath, ERC20Pausable {
     using SafeERC20 for IERC20;
 
     event LogDeploy(uint amount);
@@ -112,7 +113,7 @@ contract PoolToken is DSMath, ERC20Pausable {
       emit LogDeposit(tknAmt, _mintAmt);
     }
 
-    function withdraw(uint tknAmt, address to) external whenNotPaused returns (uint _tknAmt) {
+    function withdraw(uint tknAmt, address to) external nonReentrant whenNotPaused returns (uint _tknAmt) {
       uint poolBal = baseToken.balanceOf(address(this));
       require(tknAmt <= poolBal, "not-enough-liquidity-available");
       uint _bal = balanceOf(msg.sender);